Cyber Incident Victim: Beaumont Health
Date:
Jan 2020
Location:
United States of America
Summary
Beaumont Health experienced two phishing-related security incidents, with the second compromising several employee email accounts and potentially exposing personal health information of approximately 6,000 patients. The unauthorized access occurred over several weeks, with compromised accounts containing sensitive data including patient names, birth dates, medical diagnoses, treatment details, prescription information, and medical record numbers. The organization detected the intrusion through routine monitoring, subsequently disabling affected accounts, resetting credentials, and conducting an investigation that found no evidence of data viewing or copying. While no misuse of information was reported, notifications were issued to potentially impacted individuals advising vigilance regarding financial and insurance statements. The healthcare provider implemented enhanced security measures including multi-factor authentication upgrades and additional staff training following these incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2020, Beaumont Health detected unauthorized access to employee email accounts through routine monitoring systems. The investigation revealed that between January 3 and January 29, 2020, external actors had compromised six email accounts belonging to a small number of employees who fell victim to a phishing scam. The compromised accounts contained protected health information including patient names, dates of birth, medical diagnoses, diagnosis codes, treatment details, prescription information, procedure codes, patient account numbers, and medical record numbers. Beaumont immediately disabled the affected email accounts and performed password resets upon discovering the breach. The organization launched a comprehensive forensic investigation that concluded on June 5, 2020, determining that while unauthorized access had occurred, no evidence suggested the attackers viewed or copied specific emails or attachments containing PHI. Despite this finding, Beaumont issued breach notifications on July 25, 2020, to approximately 6,000 potentially affected patients – representing 0.3% of their 2.3 million patient population – advising them to monitor financial accounts and insurance statements for suspicious activity.
This incident marked Beaumont Health's second phishing-related breach within a year, following an April 2020 notification regarding a separate late-2019 email compromise affecting 112,211 individuals. The health system implemented multiple corrective actions including enhancements to multi-factor authentication systems, comprehensive risk analysis procedures, and additional employee training programs focused on identifying malicious emails. A Beaumont spokesperson emphasized the organization's caution in notifying all potentially impacted patients despite lacking evidence of actual data misuse. Forensic analysis confirmed the attackers never moved beyond the compromised email accounts into broader network systems or electronic medical records. No reports of patient information misuse had been received by Beaumont as of the August 2020 disclosure. The health system maintained that both breaches resulted from isolated phishing incidents rather than systemic security failures, with no identified connection between the two events.