Cyber Incident Victim: PIH Health
Date:
Jun 2019
Location:
United States of America
Summary
PIH Health experienced a data security incident involving unauthorized access to employee email accounts compromised through a targeted phishing campaign, affecting nearly 200,000 patients' personal and protected health information. The breach was confined to email systems, with no evidence of misuse identified during the forensic investigation. The organization secured affected accounts, initiated an investigation with external cybersecurity experts, and notified impacted individuals while offering complimentary credit monitoring services. Substitute notice was provided via website posting for patients whose contact details were unavailable.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
PIH Health discovered unauthorized access to employee email accounts resulting from a targeted phishing campaign on June 18, 2019. The organization immediately secured affected accounts by resetting passwords and initiated an investigation with independent cybersecurity experts. Forensic analysis determined the unauthorized access occurred between June 11 and June 18, 2019, confined exclusively to compromised email accounts without penetration of other information systems. By October 2, 2019, investigators confirmed the email account breaches, prompting a subsequent review of email contents to identify exposed data. This secondary analysis concluded on November 12, 2019, revealing that unauthorized parties potentially accessed personal information and protected health information belonging to current and former patients stored within the breached email accounts.
The incident affected approximately 200,000 individuals whose data resided in the compromised accounts. PIH Health mailed notification letters to identifiable victims on January 10, 2020, while publishing substitute notices for individuals with unverified contact information. The organization established a dedicated call center operating during Central Time business hours and offered complimentary credit monitoring through Kroll to eligible recipients. PIH Health reported the breach to the U.S. Health and Human Services Office for Civil Rights and consumer reporting agencies. Forensic investigators found no evidence of actual misuse of the exposed information. The organization emphasized implementing additional security measures to prevent recurrence while maintaining that no other systems beyond the targeted email accounts were compromised during the incident.