Cyber Incident Victim: Coeur Group
Date:
Jun 2022
Location:
United States of America
Summary
A mental health and substance abuse treatment provider experienced a breach when an employee's email account was compromised, potentially exposing patient information. The affected data included names, demographic details, insurance and clinical information, with some individuals' Social Security Numbers and credit card data also involved. Following discovery, the organization implemented enhanced security measures such as multi-factor authentication, firewall improvements, and revised access controls. Impacted individuals were offered complimentary credit monitoring services for one year. The incident highlights particular sensitivity given the nature of the provider's services, where exposure could carry risks beyond typical identity theft concerns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Coeur Group, a Nebraska-based mental health and substance abuse treatment provider, experienced a cybersecurity incident involving unauthorized access to an employee’s email account within their business email system. The breach occurred between June 7 and July 12, 2022, and was discovered on July 26, 2022. The compromised account contained emails and attachments holding patient information, though the total number of affected individuals was not disclosed in public notices. Exposed data included full names, demographic details such as addresses and dates of birth, insurance information, and clinical records like provider names, diagnoses, conditions, and medications. A subset of patients also had their Social Security Numbers and credit card information exposed due to the presence of these details in the compromised emails or attachments. The organization did not specify whether the breach resulted from phishing, credential theft, or other attack vectors, nor did it confirm whether data was exfiltrated or merely accessed.
Upon detecting the breach, Coeur Group implemented multiple corrective measures, including a review of access controls, updated authentication requirements, revised security procedures, and strengthened network protocols. The organization deployed multi-factor authentication, enhanced firewall protections, and added monitoring alerts for potential cyber threats. Affected patients were offered one year of complimentary credit monitoring services through a third-party provider. A dedicated call center was established to address patient inquiries, operating during Central Standard Time business hours. While the notice emphasized standard financial risks like identity theft and fraud, it acknowledged potential non-financial harms for patients of a mental health provider, including stigmatization or personal distress stemming from unauthorized disclosure of sensitive treatment history. No evidence of data misuse was cited in the notice, which was published as a legal announcement rather than a website disclosure, and no corresponding entry appeared on the U.S. Department of Health and Human Services’ breach portal at the time of reporting.