Emory Healthcare

Emory Brain Health Center, operating as Emory Healthcare, is a United States-based healthcare organization that manages sensitive patient information as part of its medical services. The entity's function involves the collection, storage, and processing of personal health data, including names, medical record numbers, contact details, and birth dates, which are integral to patient care and administrative operations. Its work places it within the broader healthcare sector, serving patients whose information is maintained in various datasets. The organization's footprint is defined by its handling of health records for a significant patient population, though specific metrics regarding the total number of patients served or facilities operated are not provided in the available information. A notable aspect of its operational structure is the reliance on third-party service providers for data management, as evidenced by the 2016 incident where a externally managed database was compromised.

The most comprehensively documented event in the organization's recent history is a security incident from December 30, 2016. During this event, a misconfigured MongoDB database, which was under the control of a third-party vendor rather than Emory's internal IT staff, was hijacked by attackers who demanded a Bitcoin ransom. The database contained sensitive patient information from the Emory Brain Health Center, initially thought to affect about 200,000 individuals but later revised to approximately 90,000 unique patients. The exposed data elements included names, medical record numbers, addresses, dates of birth, email addresses, and cellphone numbers. The attack was part of a widespread campaign targeting unsecured MongoDB installations at the time. Emory Healthcare did not pay the ransom; instead, the database was restored from existing backups. There was no confirmed evidence that the data was exfiltrated by the attackers prior to its deletion, though the incident represented a serious breach of patient privacy and highlighted vulnerabilities in the organization's third-party data management practices. This event underscores the critical importance of robust security configurations for all systems containing protected health information, regardless of direct operational control.