Cyber Incident Victim: NorthStar Anesthesia
Date:
Apr 2018
Location:
United States of America
Summary
A NorthStar Anesthesia incident involved unauthorized access to employee email accounts via a phishing campaign over several weeks. Compromised accounts contained sensitive patient information including names, dates of birth, health insurance details, medical history, treatment records, and for some individuals, Social Security numbers. The organization initiated an investigation with third-party forensic experts, notified potentially affected patients, and reported the breach to regulatory authorities. Affected individuals were offered complimentary credit monitoring and identity restoration services for two years, alongside guidance on monitoring financial accounts and protecting against identity theft. A dedicated assistance line was established to address inquiries related to the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
NorthStar Anesthesia discovered a phishing campaign targeting employee email accounts between May 23 and 24, 2018, prompting an immediate internal response and investigation. The company engaged third-party forensic experts to determine the scope and nature of the breach, which revealed unauthorized access to employee email accounts had occurred from April 3 through May 24, 2018—a period spanning approximately seven weeks. The compromised accounts contained sensitive personal and medical information, with the specific data elements varying across affected individuals. Exposed information included patient names, dates of birth, health insurance application details, claims information, policy numbers, medical history, treatment and diagnosis records, medical record numbers, IRS identity protection numbers, and taxpayer identification numbers. A subset of individuals also had their Social Security numbers exposed through the incident. The investigation confirmed the attackers obtained access via compromised email credentials but did not identify the specific threat actors or their motives.
NorthStar initiated notification procedures by mailing letters to potentially impacted individuals and established a dedicated toll-free assistance line operational Monday through Friday. The company offered affected persons two years of complimentary credit monitoring and identity restoration services. Guidance provided to recipients included recommendations to review account statements, monitor credit reports, and remain vigilant against identity theft. Notification materials detailed contact information for the three major credit bureaus—Equifax, Experian, and TransUnion—and referenced Federal Trade Commission resources for identity theft victims. NorthStar reported the breach to the U.S. Department of Health and Human Services and relevant state regulators as required by law. While emphasizing existing security measures, the organization acknowledged implementing additional safeguards following the incident without specifying technical or procedural changes. The response focused on containment through credential resets, forensic analysis completion, and compliance with regulatory notification timelines over a two-month period following initial detection.