Cyber Incident Victim: Jefferson County Health Center
Date:
Jan 2023
Location:
United States of America
Summary
Jefferson County Health Center experienced a cybersecurity breach involving unauthorized access to its network server, compromising sensitive patient information for approximately 115,940 individuals. The incident exposed personal and medical data, including names and Social Security numbers, leading the organization to review affected files and notify impacted parties through breach notification letters. The healthcare provider reported the event to federal regulators as a hacking-related IT incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 13, 2023, Jefferson County Health Center, operating as Jefferson County Health Department, filed a notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights. The breach involved unauthorized access to a network server containing sensitive patient information due to a hacking/IT incident. The organization discovered that confidential patient data entrusted to them had been compromised, prompting an internal review of affected files. This review aimed to identify the specific types of information exposed and the individuals impacted by the security incident. While the exact date of the cyberattack’s occurrence was not disclosed in the HHS-OCR filing, the breach notification was submitted on January 13, 2023, coinciding with the initiation of consumer notifications. Jefferson County Health Department confirmed that the compromised data varied by individual but potentially included names, Social Security numbers, and certain medical information. The organization did not publicly disclose technical details regarding the attack vector, duration of unauthorized access, or specific systems targeted beyond confirming the involvement of a network server.
The breach affected 115,940 individuals, leading Jefferson County Health Department to mail data breach notification letters to all impacted parties on January 13, 2023. The compromised information exposed victims to potential risks of fraud and identity theft due to the sensitivity of the exposed data elements. Jefferson County Health Center, a healthcare provider based in Hillsboro, Missouri, operates three facilities in Hillsboro, Arnold, and High Ridge, serving Jefferson County residents. With approximately 65 employees and $5 million in annual revenue, the organization provides various healthcare services through these locations. The incident response included federal regulatory compliance through the HHS-OCR filing and direct consumer notifications but did not include publicly disclosed remediation steps or containment measures beyond the review of affected files. No information was provided regarding law enforcement involvement, forensic investigations, or security enhancements implemented following the breach. The breach represents a significant compromise of protected health information under HIPAA jurisdiction given the scale of affected individuals and the nature of the exposed data.