Cyber Incident Victim: Cornerstone Care

On June 1, 2020, Cornerstone Care detected suspicious activity linked to a corporate email account, prompting an immediate internal investigation. The organization engaged independent computer forensic investigators to assist in determining the scope and nature of the incident. Forensic analysis confirmed that only one email account had been compromised, with no evidence of broader system infiltration. Following this determination, investigators conducted an in-depth review of the compromised account to identify any protected health information (PHI) contained within it and to extract contact details of potentially affected individuals. The forensic team systematically examined email contents and attachments to catalog exposed data types, though the specific categories of PHI involved were not publicly disclosed. This phase focused exclusively on the single breached account, with no indication that other systems or accounts were accessed or exfiltrated by threat actors.

The forensic review concluded on January 13, 2021, when investigators provided Cornerstone Care with a finalized list of 11,487 individuals whose PHI may have been exposed through the compromised email account. Between June 2020 and January 2021, the organization conducted no patient notifications while awaiting completion of the forensic analysis. On February 25, 2021—eight months and twenty-four days after initial detection—Cornerstone Care issued breach notifications to all affected patients. These notifications formally documented January 13, 2021 as the "discovery date" of the breach in regulatory filings, despite the organization's original June 2020 awareness of the security incident. The compromised account's access period and whether data was exfiltrated or merely accessible were not detailed in public statements. No ransomware deployment or financial theft was reported in connection with the incident, which appeared limited to unauthorized email account access.