On June 22, 2017, Community Memorial Health System (CMHS) suffered a data breach after an employee’s email account was compromised via a phishing attack. The incident was formally reported on September 5, 2017. The exposed data included patient names, CMHS Medical Record Numbers, and certain health-related information. However, no Social Security numbers or financial account details were compromised. The breach stemmed from unauthorized access to an employee’s email, potentially exposing sensitive but non-financial patient data. While the attack did not involve ransomware or direct financial theft, it highlighted vulnerabilities in CMHS’s email security protocols, leading to the unauthorized disclosure of protected health information (PHI). The breach underscored risks associated with phishing-driven credential theft and the broader implications for patient privacy and trust in healthcare systems.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-101618
TPRM report: https://www.rankiteo.com/company/community-memorial-health-system
"id": "com002091825",
"linkid": "community-memorial-health-system",
"type": "Breach",
"date": "6/2017",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Community Memorial Health System (CMHS)',
'type': 'Healthcare System'}],
'attack_vector': 'Phishing',
'data_breach': {'personally_identifiable_information': ['Patient names',
'Medical Record '
'Numbers'],
'sensitivity_of_data': 'Moderate (health data but no '
'SSNs/financial info)',
'type_of_data_compromised': ['Patient names',
'Medical Record Numbers',
'Health information']},
'date_detected': '2017-06-22',
'date_publicly_disclosed': '2017-09-05',
'description': 'The California Office of the Attorney General reported that '
'Community Memorial Health System (CMHS) experienced a data '
'breach on June 22, 2017, involving a compromised employee '
'email account via phishing. The breach notification was '
'reported on September 5, 2017. The information potentially '
'involved included patient names, CMHS Medical Record Numbers, '
'and certain health information; however, it did not include '
'social security numbers or financial account information.',
'impact': {'data_compromised': ['Patient names',
'CMHS Medical Record Numbers',
'Certain health information'],
'identity_theft_risk': 'Low (no SSNs or financial data exposed)',
'payment_information_risk': 'None',
'systems_affected': ['Employee email account']},
'initial_access_broker': {'entry_point': 'Phishing (compromised employee '
'email account)',
'high_value_targets': ['Employee email account',
'Patient health data']},
'post_incident_analysis': {'root_causes': ['Successful phishing attack '
'leading to email account '
'compromise']},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act) '
'violations'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public breach notification via '
'California Office of the Attorney '
'General'},
'title': 'Community Memorial Health System (CMHS) Data Breach via Phishing '
'(2017)',
'type': 'Data Breach',
'vulnerability_exploited': 'Human (Employee Email Compromise)'}