Cyber Incident Victim: Womens Health USA

The phishing attack targeting Womens Health USA commenced in April 2018, with a subsequent incident occurring in August of the same year. The Connecticut-based business associate experienced unauthorized access to employee email accounts through these coordinated phishing campaigns, potentially exposing electronic protected health information (ePHI). Following detection, the organization initiated a multi-month forensic investigation to determine the scope of compromised data and identify affected individuals. This extended review period delayed final confirmation of impacted records until March 15, 2019, when Womens Health USA could formally notify its covered entity partners about the breach. The prolonged investigation timeline reflected the complexity of analyzing email account contents and verifying which specific patient records were accessible to attackers during the intrusion periods.

Notification letters were dispatched to 17,531 affected patients on March 29, 2019, coinciding with the organization's report to the U.S. Department of Health and Human Services. The compromised information primarily consisted of patient names and treatment-related details typically utilized during healthcare consultations, with a smaller subset of records containing more sensitive elements including Social Security numbers and medical insurance information. While the exact duration of unauthorized access wasn't specified, the dual attack waves in April and August 2018 indicated sustained targeting of the organization's email systems. No evidence suggested broader network infiltration beyond the compromised email accounts. The incident's discovery timeline and response mirrored similar healthcare phishing attacks disclosed during the same period, including a separate breach affecting Palmetto Health that impacted 23,811 patients through comparable tactics.