Cyber Incident Victim: Mattapan Community Health Center
Date:
Jul 2020
Location:
United States of America
Summary
Mattapan Community Health Center experienced a security incident involving unauthorized access to an employee email account over several months. An investigation with third-party forensic experts determined the breach potentially exposed sensitive patient information, including names, Social Security numbers, medical diagnoses, treatment details, provider information, health insurance data, and medical record numbers. The organization implemented enhanced security measures and notified potentially affected individuals, though no actual misuse of information was identified. A dedicated assistance line was established for inquiries, and impacted parties were advised to monitor their accounts for suspicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 16, 2020, Mattapan Community Health Center (MCHC) detected unusual activity within an employee email account, prompting an immediate investigation supported by a third-party computer forensic investigator. The investigation determined that an unauthorized actor accessed the email account between July 28, 2020, and October 15, 2020, with confirmation of the breach occurring on October 29, 2020. MCHC conducted a manual and programmatic review of the compromised account’s contents to identify sensitive information exposed during the three-month access period. The types of data accessible to the threat actor included patient names, Social Security numbers, medical diagnoses, treatment details, provider information, health insurance details, and medical record numbers. MCHC undertook a subsequent review of internal records to verify the identities and mailing addresses of affected individuals, though the organization stated no evidence of actual or attempted misuse of the data had been observed at the time of disclosure.
Following the breach confirmation, MCHC initiated written notification mailings to all potentially impacted individuals by December 31, 2020, and established a dedicated assistance line for inquiries. The health center emphasized its prioritization of data confidentiality and security by implementing additional protective measures, though specific technical or procedural enhancements were not detailed in public statements. The incident’s impact varied across individuals based on the contents of the compromised email account, with no indication provided regarding the number of affected patients or the method of initial account compromise. MCHC directed affected parties to resources on its website while maintaining that the notification was issued proactively despite the absence of identified misuse. The organization’s response focused on containment through forensic analysis, identity verification, and communication, without public disclosure of remediation steps beyond generalized security improvements.