Cyber Incident Victim: Eventus WholeHealth
Date:
Jun 2022
Location:
United States of America
Summary
Eventus WholeHealth experienced a data breach involving unauthorized access to an employee email account, compromising sensitive consumer information. The incident was detected through suspicious activity, prompting the company to terminate unauthorized access and engage a cybersecurity firm for investigation. Confirmation of compromised personal data in emails and attachments followed, though specific data types were not publicly disclosed; Montana reporting requirements indicate potential exposure of Social Security numbers, financial account details, or protected health information. The North Carolina-based healthcare provider notified affected individuals, emphasizing risks of identity theft and fraud. The organization provides primary and mental health services to vulnerable adults in post-acute care and assisted living facilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 1, 2022, Eventus WholeHealth detected suspicious activity involving an employee's email account, prompting immediate termination of unauthorized access to the compromised account. The company engaged an external cybersecurity firm to investigate the incident, confirming on August 17, 2022, that an unauthorized party had accessed both the email account and sensitive personal information contained within emails and attachments. Eventus conducted a review of affected files to identify compromised data types and impacted individuals but did not publicly disclose specific categories of exposed information. The company reported the breach to the Montana Attorney General on October 6, 2022, meeting state reporting requirements that mandate disclosure only when breaches involve Social Security numbers, driver's license/state ID numbers, protected health information, or financial account details. Data breach notification letters were distributed to affected individuals on October 6, 2022, advising them of potential risks but without specifying exact compromised data elements. No evidence suggests the breach extended beyond the single employee email account or involved other corporate systems.
Eventus WholeHealth, formed through a merger of OnsiteCare, Extended Care Specialist, and DoctorsMakingHouseCalls, provides primary care and mental health services to medically vulnerable adults in post-acute care and assisted living facilities. The North Carolina-based organization employs over 311 people and generates approximately $13 million in annual revenue. The breach exposed sensitive consumer information but did not disrupt healthcare service delivery. Eventus completed its internal review and external investigation within four months of initial detection, implementing containment measures upon discovering the unauthorized access. The compromised data remained within email communications and attachments rather than structured databases or electronic health records systems. No ransomware involvement, data destruction, or financial demands were referenced in the company's regulatory filing.