Cyber Incident Victim: DePaul Treatment Centers

On February 1, 2019, DePaul, a local housing and health provider, identified a potential data breach involving a single employee's email account compromised through a phishing scam. Phishing scams involve external actors obtaining email credentials to access sensitive information or distribute malicious communications. Upon discovery, DePaul immediately secured the affected email account and initiated an internal investigation. The organization also provided additional training to staff to improve recognition and avoidance of similar threats. The investigation focused on reviewing the contents of the compromised account, ultimately examining over 41,000 emails to determine the scope of exposed data.

The review confirmed that while most emails contained no significant medical or identity theft-related information, a small percentage included sensitive details of participants in DePaul's behavioral health program. Exposed data consisted of full names, dates of birth, and Social Security numbers. On March 29, 2019, DePaul publicly disclosed the incident and notified affected individuals via mailed letters. The organization offered one year of complimentary credit monitoring services exclusively to those whose Social Security numbers were exposed and established a dedicated toll-free helpline (833-888-4248) for inquiries. DePaul advised impacted individuals to monitor financial and medical statements for signs of fraud or identity theft. The attacker's objective was identified as credential theft for email distribution purposes, with no evidence suggesting misuse of accessed data beyond initial compromise. DePaul emphasized its existing privacy safeguards and commitment to protecting client information in its public statement.