Cyber Incident Victim: Fisher-Titus Medical Center

In August 2020, an unauthorized individual gained access to an employee email account at Fisher-Titus Medical Center, a hospital based in Norwalk, Ohio. The breach persisted until October 2020, during which the attacker had sustained exposure to sensitive information contained within the compromised account. The email account stored extensive personal and medical data belonging to patients, including full names, Social Security numbers, credit and debit card numbers, medical diagnoses, clinical treatment details, and health insurance information. The medical center discovered the intrusion but did not publicly specify the exact detection method or timeline for identifying the breach. No information was disclosed regarding whether the attacker exfiltrated data or merely accessed it, nor were the motives or identity of the threat actor revealed.

Fisher-Titus Medical Center initiated patient notifications in February 2021, approximately four to six months after containing the breach. The notifications confirmed the exposure of highly sensitive data categories that carried significant risks of identity theft, financial fraud, and medical privacy violations. The hospital did not disclose the total number of affected individuals or whether external cybersecurity firms or law enforcement were involved in the investigation. No specifics were provided regarding containment measures, such as resetting credentials or enhancing email security protocols. The incident highlighted risks associated with storing unprotected sensitive data in employee email accounts, though the medical center did not elaborate on planned operational changes to prevent recurrence.