Cyber Incident Victim: Casa Salud Corporation
Date:
Jun 2020
Location:
United States of America
Summary
Unauthorized access to email accounts at La Casa de Salud exposed protected health information of patients across multiple affiliated programs, including names, Social Security numbers, medical records, treatment details, and financial data. The breach occurred over a six-day period and was detected weeks later, though forensic analysis could not confirm whether data was viewed or exfiltrated. Impacting 9,969 individuals, the incident involved delayed notifications sent over 18 months after discovery, with credit monitoring offered to those whose sensitive identifiers were compromised. The breach stemmed from compromised email accounts within the parent organization's network, affecting clients of several healthcare service providers under its umbrella.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving La Casa de Salud, a program under the New York-based Acacia Network, was detected on July 17, 2020. Unauthorized access to email accounts occurred between June 6 and June 12, 2020. Upon discovery, the organization immediately launched an investigation and engaged a forensic firm to assist. The forensic analysis could not confirm whether emails or attachments within the compromised accounts were viewed or copied by the threat actor. A subsequent review of the affected email accounts revealed they contained extensive protected health information (PHI) and personally identifiable information (PII), including patient names, Social Security numbers, driver’s license numbers, addresses, birthdates, financial account numbers, medical record numbers, resident identification numbers, health insurance details, Medicare numbers, provider names, treatment information, prescription data, and diagnostic information. The breach impacted clients across multiple Acacia Network programs, specifically listing Bronx Accountable Healthcare Network, Bronx Addiction Services Integrated Concepts System, Community Association of Progressive Dominicans, El Regreso, Greenhope Services for Women, La Casa De Salud, Promesa, and United Bronx Parents.
The breach was reported to the HHS Office for Civil Rights under La Casa De Salud’s name, affecting 9,969 individuals, though the total scope remained unclear. Notification letters were mailed to affected individuals on February 22, 2022—over 18 months after the breach was detected—without explanation for the delay. Credit monitoring and identity protection services were offered complimentary to those whose Social Security numbers or driver’s license numbers were exposed. The compromised systems were limited to email accounts, with no evidence suggesting broader network infiltration. No additional technical safeguards or containment measures beyond securing the email accounts were detailed in the report. The exposure of sensitive data created risks of identity theft and financial fraud for impacted individuals, though no confirmed misuse of data was disclosed at the time of notification.