Cyber Incident Victim: Primary Health Care
Date:
Feb 2017
Location:
United States of America
Summary
A cybersecurity incident at Primary Health Care involved unauthorized access to four employee email accounts and associated Google Drives, prompting an immediate termination of access and forensic investigation. The organization could not confirm which specific emails or files were compromised but identified potentially exposed protected health information including patient names, contact details, Social Security numbers, financial data, medical histories, treatment details, and insurance identifiers. While no evidence of actual or attempted misuse was found, notifications were issued to affected individuals and regulatory authorities as a precautionary measure, alongside enhancements to existing security protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 1, 2017, Primary Health Care Inc. (PHC) discovered unauthorized access to four employee email accounts that had occurred the previous day, February 28, 2017. The organization immediately terminated the unauthorized access and initiated an investigation to assess the scope and impact of the breach. PHC engaged a forensic investigator to examine both the compromised email accounts and associated Google Drive storage systems. The investigation aimed to determine which specific emails or files might have been accessed during the intrusion and what protected health information they contained. Despite these efforts, PHC could not conclusively establish whether any individual emails or documents had actually been viewed or exfiltrated by the unauthorized party. As a precautionary measure, investigators conducted a comprehensive review of all contents within all four email accounts and linked Google Drives to identify potentially exposed data. The breach detection timeline indicates the intrusion was identified within 24 hours of occurrence, though the initial attack vector remained unspecified in public disclosures. Containment actions focused on securing the compromised accounts and preventing further unauthorized access during the investigation period.
The forensic review revealed that the email accounts and Google Drives contained various combinations of patient information including names, phone numbers, Social Security numbers, driver's license numbers, financial account details, credit/debit card information, dates of service, medical diagnoses, treatment records, medical history, healthcare provider details, health insurance information, and Medicaid identification numbers. PHC explicitly stated they found no evidence suggesting actual or attempted misuse of the compromised data following the breach. In response to the incident, the organization implemented additional security safeguards across its systems while maintaining existing security measures it described as stringent. PHC initiated patient notification procedures to inform potentially affected individuals about the potential exposure of their protected health information. The organization also prepared to report the incident to the U.S. Department of Health and Human Services as required by healthcare breach notification regulations. No specific details were provided regarding the number of affected patients, the duration of potential exposure beyond the confirmed breach date, or the identity or motivation of the threat actors behind the email account intrusions.