Cyber Incident Victim: East House
Date:
Jul 2019
Location:
United States of America
Summary
A cybersecurity incident at a New York-based nonprofit organization serving individuals with mental health and substance use challenges involved unauthorized access to an employee email account over several weeks. The breach potentially exposed sensitive personal and health information of current and former residents and employees, including names, Social Security numbers, driver's license details, treatment records, and limited financial account information. Following an investigation with forensic experts, the organization notified affected individuals despite finding no evidence of actual data misuse or attempted exploitation of the compromised information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 25, 2019, East House, a Rochester-based nonprofit serving individuals with mental illness and substance use disorders, detected suspicious activity in an employee email account, prompting an immediate investigation. The organization engaged a computer forensics firm to determine the nature and scope of the incident. Forensic analysis revealed unauthorized access to a single employee email account between July 8 and July 25, 2019, exposing sensitive information to unknown individuals. The investigation focused on reviewing the compromised account's contents to identify affected parties, a process that concluded on November 13, 2019, after extensive programmatic and manual examination of email data. During this four-month period, East House worked to establish which individuals had information within the account during the intrusion window. The breach impacted current and former residents alongside current, former, and prospective employees, though the organization found no evidence confirming specific access or misuse of personal data by unauthorized actors.
The compromised email account contained varying combinations of personal information including names, dates of birth, Social Security numbers, driver’s license or state ID numbers, treatment details, and health-related information. Financial account numbers were exposed for a minimal number of individuals. East House initiated notification procedures after completing the review and verifying mailing addresses for affected parties, issuing public disclosure on February 17, 2020—over seven months after initial detection and three months after identifying impacted individuals. Notifications emphasized the absence of evidence regarding actual or attempted misuse of exposed data, with the organization characterizing the disclosure as precautionary. Response efforts centered on forensic analysis, population identification, and logistical coordination for notification rather than public reports of containment measures or system remediation.