Cyber Incident Victim: Saint Agnes Medical Center
Date:
Jan 2021
Location:
United States of America
Summary
Saint Agnes Medical Center reported that patient information was exposed after an employee’s email account at its sister hospital, Saint Alphonsus Health System, was compromised and used to send phishing messages attempting to harvest credentials. The compromised account was later also used to distribute breach‑notification letters, but a mail‑merge error caused some recipients to be incorrectly addressed as deceased or minors, compounding the impact on affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 4‑6, 2021, an unauthorized user gained access to an employee’s email account at Saint Alphonsus Health System, a sister hospital of Saint Agnes Medical Center. The compromised account was used to send phishing emails attempting to harvest login IDs and passwords from recipients. This email breach originated within the Saint Alphonsus environment and subsequently affected Saint Agnes Medical Center, leading to the compromise of patient data held by the medical center. The incident was identified after the malicious activity was observed in the employee’s mailbox.

As part of the breach response, Saint Alphonsus began sending notification letters to affected individuals informing them of the email security event. During the generation of these letters, a mail merge error occurred, causing some recipients to be incorrectly labeled as deceased or as minors. Consequently, certain patients received notifications that erroneously stated they were dead or underage, creating confusion and distress. The erroneous notifications were discovered after recipients reported the inaccurate status to the hospital.
Saint Agnes Medical Center issued a media release describing the incident and later published a press release on March 4, 2021, providing further details about the breach and its impact on patient data. Saint Alphonsus Health System acknowledged the employee email compromise and explained that the mail merge issue was an unintentional mistake in the notification process. Both organizations stated that they were taking steps to address the security incident and to correct the erroneous notifications, though specific remedial actions were not disclosed in the available sources. The combined disclosures constitute the public response to the cybersecurity event affecting Saint Agnes Medical Center.
