Cyber Incident Victim: Kennedy Krieger Institute

On May 31, 2023, the Kennedy Krieger Institute, along with The Johns Hopkins University and The Johns Hopkins Health System Corporation, discovered an external system breach that constituted a cybersecurity incident. The breach itself had occurred two days prior, on May 29, 2023. The incident was identified as an external system breach resulting from hacking activity. The compromised entities, all operating within the healthcare sector and sharing an address at 733 N. Broadway in Baltimore, MD, 21205, engaged outside legal counsel to manage the breach notification process. Baker & Hostetler LLP, represented by partner Lynn Sessions, served in this capacity and was the designated submitter for official state notifications.

The total number of individuals affected by this security breach was 363,885. This figure included 43 residents of the state of Maine. The investigation into the breach determined that the acquired information involved the name or other personal identifier of an individual in combination with their Social Security Number. The exposure of this highly sensitive personally identifiable information created a significant risk of identity theft and financial fraud for the hundreds of thousands of impacted persons.

In response to the incident, the entities undertook a consumer notification process. The type of notification selected was written communication. The date scheduled for the consumer notification was June 23, 2023, which was approximately three weeks after the breach was discovered. This timeline allowed the organizations to conduct a thorough investigation to determine the full scope and impact of the incident before informing those affected. A copy of the notice intended for affected Maine residents was filed with the Maine Attorney General’s office under the title “Hopkins - Maine Attachment.pdf.”

As part of their response to mitigate potential harm to the affected individuals, the Kennedy Krieger Institute and its affiliated entities offered identity theft protection services. The provider of these services was IDX. The services included comprehensive credit monitoring and identity theft protection. These services were offered to all impacted individuals at no cost for a duration of two years. This offering was designed to help detect any potential misuse of the stolen personal information and provide support to victims should any fraudulent activity occur as a result of the data breach.

The breach notification submitted to the Office of the Maine Attorney General confirmed that the consumer reporting agencies had not been notified regarding the Maine residents affected. This was because the number of Maine residents impacted, which was 43, did not exceed the 1,000-person threshold that would mandate such a notification under typical breach notification laws. There was no indication of any previous breach notifications having been issued by these entities within the twelve months preceding this incident.

The incident represented a substantial compromise of personal data, given the large number of individuals involved and the sensitive nature of the information exfiltrated. The combination of names with Social Security numbers is particularly valuable to malicious actors, as it can be used to open new lines of credit, file fraudulent tax returns, or obtain medical services under a false identity. The healthcare sector is a frequent target for such attacks due to the richness of the personal data it holds.

The response actions followed a pattern consistent with standard post-breach protocols, focusing on investigation, notification, and the provision of protective services. The engagement of an external law firm with expertise in data breach response, Baker & Hostetler LLP, indicated a structured approach to managing the legal and regulatory obligations stemming from the incident. The filing with the Maine Attorney General’s office was part of a broader effort to comply with state data breach notification laws across multiple jurisdictions.

The discovery of the breach on May 31, 2023, immediately initiated a process to contain the incident and assess its damage. While the specific technical details of how the hacking was executed or which specific systems were initially compromised were not detailed in the public notification, the classification as an external system breach confirms the intrusion originated from outside the organizations' networks. The short period between the breach occurrence and its discovery, a span of only two days, suggests that monitoring systems may have detected anomalous activity relatively quickly, though the notification did not specify the detection method.

The consequences of the breach were primarily focused on the potential for identity theft among the affected population. The organizations involved bear the operational and financial costs associated with the investigation, the notification process, and the provision of two years of credit monitoring services for over 360,000 people. The reputational impact on the healthcare and research institutions is another significant consequence, potentially affecting patient and research participant trust.

The breach notification was filed under the entities of The Johns Hopkins University, The Johns Hopkins Health System Corporation, and the Kennedy Krieger Institute, indicating a shared responsibility or a connected IT infrastructure that led to the compromise affecting all three. Their shared physical address in Baltimore, Maryland, further underscores their operational connection. The unified response, managed through a single outside counsel, points to a coordinated effort to address the incident across all impacted organizations.

The timeline of events began with the breach occurring on May 29, 2023. The discovery followed on May 31, 2023. The investigation then proceeded throughout the following weeks, culminating in the decision to notify consumers by written letter on June 23, 2023. This timeline reflects a period of just over three weeks from discovery to planned consumer notification, a timeframe that aligns with the need to properly investigate a breach of this scale before informing the public.

The scope of the breach, affecting a quarter of a million people, places it among the larger healthcare data breaches reported during that period. The focused nature of the data acquired—specifically names and Social Security numbers—indicates the attackers may have been targeting specific databases or types of records rather than engaging in a broader, more indiscriminate data grab. The value of this data on the dark market makes it a prime target for cybercriminal enterprises.

The institutional response included all mandated regulatory steps, including filing with appropriate state authorities where affected residents resided. The Maine filing is one example of this compliance, and similar notifications would have been made in other states pursuant to their respective laws. The offering of identity protection services is a common and expected mitigation step intended to reduce the risk of harm to the victims and to demonstrate a commitment to addressing the consequences of the breach.

The incident underscores the persistent threat that external hacking poses to large healthcare and research institutions. These organizations manage vast repositories of sensitive personal and health information, making them attractive targets for cyberattacks. The breach at Kennedy Krieger Institute and its affiliates is a single instance of this ongoing challenge, highlighting the critical need for robust cybersecurity measures to protect patient and participant data from increasingly sophisticated threats.