Cyber Incident Victim: Sunspire Health

Sunspire Health, a national addiction treatment provider, experienced a phishing attack compromising multiple employee email accounts between March 1 and May 4, 2018. The organization detected unauthorized access between April 10 and May 17, 2018, after employees fell victim to phishing emails that exposed account credentials. Forensic investigation confirmed the attackers potentially accessed patient information including names, dates of birth, Social Security numbers, treatment details, diagnoses, and health insurance data. While no evidence of actual misuse emerged, the breach scope prompted notification to an undisclosed number of affected individuals. The incident was reported to the U.S. Department of Health and Human Services and state authorities, with plans to list it on the HHS breach portal.

Upon discovery, Sunspire immediately secured compromised accounts and initiated a third-party forensic investigation. The company implemented enhanced technical safeguards and administrative protocols, including additional employee training to prevent future incidents. On July 16, 2018, Sunspire publicly disclosed the breach via website notice and direct patient notifications, offering 90 days of complimentary credit monitoring and identity theft protection services. A dedicated toll-free privacy line (888-899-8301) operated for 90 days to assist patients with fraud alerts, credit freezes, and breach-related inquiries. The organization emphasized ongoing internal reviews to strengthen security measures while maintaining treatment operations across its nationwide facilities.