Cyber Incident Victim: St. Joseph Health System

Between December 16 and December 18, 2013, attackers gained unauthorized access to a single server within the St. Joseph Health System computer network located in Texas. This server contained sensitive personal information belonging to more than 400,000 individuals, including patients, employees, and employee beneficiaries. The compromised data included names, addresses, dates of birth, and Social Security numbers. Medical records were accessible for patients, while some employees had their banking information exposed. St. Joseph Health System detected the intrusion on December 18, 2013, and immediately terminated access to the affected server. Forensic investigations could not conclusively determine whether attackers actually viewed or extracted data during the three-day window of unauthorized access.

Upon discovery of the breach, St. Joseph Health System engaged national security and computer forensics experts to investigate the incident’s scope and origin. The organization notified the Federal Bureau of Investigation (FBI), which initiated its own inquiry. On February 5, 2014, St. Joseph began notifying all potentially impacted individuals via mailed letters, disclosing the nature of the exposed data and the uncertainty regarding actual misuse. The notification, signed by Corporate Compliance and Privacy Officer Denise Goffney, emphasized that while data access was possible, forensic evidence could not confirm information theft. Affected parties received offers for one free year of identity protection services. No additional technical details about the attack vector or perpetrator identity were disclosed publicly during the initial response phase.