Cyber Incident Victim: UMC Physicians

UMC Physicians (UMCP) discovered a data breach impacting patient information on May 18, 2018, when their IT team identified unauthorized access to an employee’s email account. The compromise occurred on March 15, 2018, though the specific duration of unauthorized access prior to detection was not disclosed. The breached email account contained personal health information belonging to patients, potentially exposing sensitive data. UMCP determined that over 18,000 individuals might have had their information compromised, though the exact nature of the accessed data (such as medical records, insurance details, or identifiers) was not specified in available reports. No evidence suggested broader system infiltration beyond the single email account. The organization initiated an internal investigation following the discovery but did not publicly attribute the incident to a specific threat actor or methodology.

UMCP began notifying affected patients by July 12, 2018, advising them of the breach and providing guidance to mitigate identity theft and fraud risks. As a remedial measure, the organization offered impacted individuals one year of complimentary credit monitoring and identity restoration services. The breach did not disrupt clinical operations or patient care systems, as the compromise was confined to email communications. UMCP did not disclose whether regulatory penalties or legal actions resulted from the incident. The notification process emphasized transparency with patients but did not detail internal corrective actions, such as employee retraining or email security enhancements. No subsequent breaches or related incidents involving UMCP were reported following this event.