Cyber Incident Victim: St. Joseph Medical Group
Date:
Feb 2015
Location:
United States of America
Summary
Unauthorized access to outdated staff credentials occurred at St. Joseph Medical Group through an SQL injection attack, resulting in a public dump of 98 usernames, MD5-encrypted passwords, and email addresses. The compromised data originated from an obsolete internal file-sharing application containing non-patient documents, which had been inactive for an extended period. The breach was identified externally via social media disclosures, prompting third-party notification attempts that initially failed due to non-functional contact details listed for the organization. Following successful communication, the medical group's webmaster confirmed the data's historical nature and mitigated the exposure by permanently removing associated databases and files to prevent further access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving St. Joseph Medical Group, part of Lutheran Health Network, began with public exposure on February 14, 2015, when Twitter users @DeleteSec and @DerpLaughing posted a data dump obtained through an SQL injection attack. The compromised data included 98 usernames, MD5-encrypted passwords, and email addresses associated with staff members. On April 24, 2015, cybersecurity watchdog DataBreaches.net attempted to notify Lutheran Health Network after observing the breach announcement by Twitter user @Compl3x1ty. Initial notification efforts faced significant obstacles, as St. Joseph Medical Group's website provided no functional contact methods for reporting security issues, and the phone number listed in their domain registration records was non-operational. DataBreaches.net ultimately succeeded in alerting the organization by emailing the TECH address listed in domain registration records, though this process caused delays in formal disclosure.
Lutheran Health Network's webmaster confirmed the breach involved legacy credentials from a deprecated file-sharing application created several years prior to the incident, predating widespread adoption of services like Dropbox. The compromised credentials provided access only to non-patient-related documents stored in an unsecured system that had been inactive for an extended period. Forensic analysis determined the exposed data constituted a small historical subset of staff accounts with no active clinical or patient information exposure. In response, the webmaster permanently removed all database tables and associated files linked to the obsolete application to eliminate recurrence risks. No evidence suggested misuse of the credentials prior to their public exposure in the February data dump. The organization acknowledged the security lapse stemmed from inadequate decommissioning procedures for outdated systems but confirmed no operational or patient care impacts resulted from the incident.