Cyber Incident Victim: Presbyterian Healthcare Services

Presbyterian Healthcare Services, based in Albuquerque, NM, detected unauthorized access to an employee email account on July 8, 2022, following a response to a phishing email. The subsequent forensic investigation determined the account was compromised intermittently over a 107-day period, spanning from March 21, 2022, to July 8, 2022. During this timeframe, an unauthorized third party accessed protected health information stored within the email account. The compromised data included patient names, dates of birth, Social Security numbers, medical record numbers, and health insurance information. Limited clinical information related to billing processes—such as diagnosis codes and treatment details—was also exposed. No financial information was confirmed to have been accessed or exfiltrated during the breach. The organization initiated a comprehensive review of the affected email account contents to identify impacted individuals.

Presbyterian Healthcare Services began mailing notification letters to affected patients upon confirming the exposure of sensitive data, though the account review remained ongoing at the time of public disclosure. The organization offered complimentary credit monitoring and identity theft protection services specifically to patients whose Social Security numbers were exposed. In response to the incident, Presbyterian implemented additional security awareness training for its workforce and enhanced email security protocols to prevent similar breaches. This marked the third cybersecurity incident disclosed by the organization in recent years, following an August 2019 email breach affecting 1,120,629 patients and a subsequent hacking incident impacting 193,223 patients approximately one year later. The 2022 phishing attack directly affected 2,624 individuals, with no reported instances of data misuse at the time of notification.