Cyber Incident Victim: Beacon Health System
Date:
Nov 2013
Location:
United States of America
Summary
Beacon Health System experienced a data security incident involving unauthorized access to employee email accounts via a phishing attack, potentially compromising patient information such as names, medical diagnoses, treatment details, Social Security numbers, and other sensitive personal and health data. The organization found no evidence of actual data viewing or removal but confirmed patient information was present in the accessed accounts, prompting an investigation, policy reviews, security enhancements, and notifications to affected individuals with offers of complimentary credit monitoring and identity restoration services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Beacon Health System, based in Indiana, discovered unauthorized access to employee email accounts on March 25, 2015, following a phishing attack that compromised these accounts. The health system later confirmed on May 1, 2015, that the breached email accounts contained protected health information belonging to patients. Unauthorized individuals had accessed certain employee email accounts intermittently over a 14-month period, with the first known intrusion occurring in November 2013 and the last documented unauthorized access on January 26, 2015. The compromised email accounts contained diverse categories of sensitive patient information including full names, treating physician names, internal patient identification numbers, medical status indicators, Social Security numbers, dates of birth, driver's license numbers, medical diagnoses, service dates, treatment details, and other clinical record data. Beacon Health stated there was no evidence that attackers actually viewed or exfiltrated the sensitive information from the email accounts, but acknowledged that patient data was present in the compromised mailboxes. The organization did not disclose the number of potentially affected individuals.
In response to the breach, Beacon Health launched an investigation that remained ongoing as of the May 22, 2015 notification date. The health system initiated a comprehensive review of its existing data security policies and operational procedures, pledging to implement additional protective measures to prevent recurrence of similar incidents. Beacon began notifying all potentially impacted individuals through direct communications and published a formal notice titled "Beacon Health Provides Notice of Data Security Event" on its organizational website. Affected patients were offered complimentary identity protection services including one year of credit monitoring and identity restoration assistance. The phishing attack vector highlighted vulnerabilities in employee email security, though specific technical details about the containment measures or forensic investigation methodology were not disclosed in public statements.