Cyber Incident Victim: Loudoun Medical Group
Date:
Jun 2019
Location:
United States of America
Summary
An employee email account at Loudoun Medical Group, operating as Comprehensive Sleep Care Center, was compromised by unauthorized actors over several days. The breach was detected following unusual activity in the account, with subsequent investigations revealing access to sensitive patient information stored within the affected mailbox. Exposed data included personal identifiers such as names, Social Security numbers, driver's license details, and financial information, alongside medical records, treatment histories, and insurance details. The organization completed its review of impacted individuals approximately four months after discovery and initiated patient notifications. While complimentary monitoring services were reportedly distributed later, initial communications did not include such offerings. The incident involved no broader system intrusion beyond the single email account.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 19, 2019, Loudoun Medical Group operating as Comprehensive Sleep Care Center (CSCC) in Virginia detected unusual activity within an employee’s email account. The organization initiated an investigation that determined unauthorized individuals had accessed the account between June 15 and June 19, 2019. The breach investigation focused on identifying the scope of compromised information and affected individuals, a process that extended until approximately October 17, 2019. The compromised email account contained varied patient information depending on individual cases, with potential exposure including names, dates of birth, Social Security numbers, driver’s license details, passport numbers, medical record identifiers, patient account numbers, payment card data, financial account information, medical histories, health insurance details, treatment records, and dates of service. The extended timeframe between detection and notification reflected the complexity of reviewing email contents across multiple patients and data categories.
CSCC issued a public press release on November 26, 2019, formally notifying patients about the breach and confirming the completion of their forensic review. The notification clarified that while financial and medical data exposure occurred, the incident remained confined to a single employee email account without evidence of broader system compromise. Affected individuals received mailed notifications containing information about complimentary credit monitoring services, though initial press materials did not reference these offerings. The organization did not report the incident to the U.S. Department of Health and Human Services’ public breach portal at the time of the press release. The breach exposed sensitive personal and health information critical to medical identity theft and financial fraud, requiring individualized risk assessments for each affected patient based on their specific data exposure.