The California Office of the Attorney General disclosed a data breach affecting **Bon Secours Health System, Inc.** in August 2016. The incident occurred between **April 18–21, 2016**, when a third-party vendor, **R-C Healthcare Management**, inadvertently left files containing sensitive patient data exposed on the internet. The compromised information included **names, health insurance details, Social Security numbers, and clinical records** of unspecified individuals. The breach stemmed from misconfigured access controls, allowing unauthorized exposure of protected health information (PHI). While the exact number of affected patients was not specified, the exposure posed significant risks of identity theft, financial fraud, and privacy violations. The vendor’s negligence in securing the data led to potential long-term repercussions for the impacted individuals, including reputational harm to Bon Secours and regulatory scrutiny under healthcare data protection laws like **HIPAA**. No evidence of malicious exploitation was confirmed, but the unauthorized accessibility alone constituted a severe lapse in data security protocols.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-63348
TPRM report: https://www.rankiteo.com/company/bon-secours-health-system
"id": "bon158082125",
"linkid": "bon-secours-health-system",
"type": "Breach",
"date": "4/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unspecified (patients)',
'industry': 'Healthcare',
'location': 'California, USA (and other regions where '
'Bon Secours operates)',
'name': 'Bon Secours Health System, Inc.',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare Management',
'name': 'R-C Healthcare Management',
'type': 'Vendor'}],
'attack_vector': 'Inadvertent Exposure (Misconfigured Internet-Accessible '
'Files)',
'data_breach': {'data_exfiltration': 'Potential (files left accessible via '
'internet)',
'personally_identifiable_information': ['Names',
'Social Security '
'Numbers',
'Health Insurance '
'Information',
'Clinical '
'Information'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2016-04-21',
'date_publicly_disclosed': '2016-08-12',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Bon Secours Health System, Inc. on August '
'12, 2016. The breach, which occurred between April 18, 2016, '
'and April 21, 2016, was due to files containing patient '
'information being inadvertently left accessible via the '
'internet by the vendor R-C Healthcare Management, potentially '
'affecting the names, health insurance information, social '
'security numbers, and clinical information of unspecified '
'individuals.',
'impact': {'data_compromised': ['Names',
'Health Insurance Information',
'Social Security Numbers',
'Clinical Information'],
'identity_theft_risk': 'High (PII and SSNs exposed)'},
'post_incident_analysis': {'root_causes': 'Misconfiguration by third-party '
'vendor (R-C Healthcare Management) '
'leading to unintended exposure of '
'sensitive files over the '
'internet.'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act) '
'violations',
'California Data Breach '
'Notification Law (if '
'applicable)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Bon Secours Health System, Inc. Data Breach (2016)',
'type': 'Data Breach'}