Cyber Incident Victim: MJ Care
Date:
May 2022
Location:
United States of America
Summary
MJ Care experienced unauthorized access to an email account containing patient protected health information, potentially exposing names, Social Security numbers, financial data, treatment details, insurance information, and other medical records. The breach impacted 1,832 individuals, with compromised Social Security numbers triggering complimentary credit monitoring offers. The organization completed its account review months after the intrusion and notified affected patients accordingly.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May and June 2022, an unauthorized individual gained access to an email account belonging to MJ Care, a Wisconsin-based rehabilitation and health services provider. The breach persisted for nearly a month, with the account compromised between May 31 and June 24, 2022. While MJ Care did not disclose exactly when the intrusion was discovered, the subsequent forensic investigation confirmed the exposure window and concluded its review of the affected email account on November 2, 2022. The analysis revealed that the compromised account contained protected health information of 1,832 patients, including full names combined with sensitive identifiers. Exposed data elements included Social Security numbers, dates of birth, financial account details, credit/debit card information, biometric data, treatment dates, diagnosis information, provider names, medical record numbers, prescribed medications, general health information, and health insurance policy details. This combination of personal, financial, and clinical data created significant privacy risks for affected individuals, particularly through potential identity theft and medical fraud avenues.
MJ Care formally notified all impacted patients about the breach on December 29, 2022, approximately seven months after the initial unauthorized access period and nearly two months following the investigation's completion. The notification letters outlined the specific categories of exposed information corresponding to each recipient's records. As a remedial measure, the organization offered complimentary credit monitoring services exclusively to patients whose Social Security numbers were confirmed as compromised in the incident. The public disclosure did not specify whether MJ Care implemented additional security upgrades, modified email access protocols, or enhanced employee training following the breach. No information was provided regarding containment actions taken during the investigation period or whether law enforcement agencies were involved in probing the unauthorized access incident.