The California Office of the Attorney General disclosed on April 13, 2023, that John Muir Health - Walnut Creek Medical Center suffered a data breach due to an internal error. A staff member created a website that inadvertently included an external link to an Excel file containing identifiable patient health information. The exposed file was published on July 1, 2021, but remained accessible until its decommissioning on March 24, 2023. The breach involved the potential unauthorized disclosure of sensitive patient data, though the exact number of affected individuals remains undetermined. The incident highlights risks associated with improper data handling and unintended public exposure of protected health records, raising concerns over patient privacy, regulatory compliance (e.g., HIPAA), and trust in the healthcare provider. The breach was not attributed to malicious cyber activity but rather human error and inadequate safeguards in publishing internal documents.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-565519
TPRM report: https://www.rankiteo.com/company/john-muir-health
"id": "joh556091725",
"linkid": "john-muir-health",
"type": "Breach",
"date": "7/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (Patient Records)',
'industry': 'Healthcare',
'location': 'Walnut Creek, California, USA',
'name': 'John Muir Health - Walnut Creek Medical '
'Center',
'type': 'Healthcare Provider'}],
'data_breach': {'data_exfiltration': 'Unintentional (Publicly Accessible)',
'file_types_exposed': ['Excel (.xls/.xlsx)'],
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Health + PII)',
'type_of_data_compromised': ['Patient Health Information '
'(PHI)',
'Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2023-04-13',
'date_resolved': '2023-03-24',
'description': 'The California Office of the Attorney General reported that '
'John Muir Health - Walnut Creek Medical Center experienced a '
'data breach involving potential inappropriate disclosure of '
'patient health information. The breach occurred due to a '
'staff member creating a website that inadvertently linked to '
'an external Excel file containing identifiable patient '
'information. The website was published on July 1, 2021, and '
'decommissioned on March 24, 2023.',
'impact': {'brand_reputation_impact': 'Potential (Patient Trust Erosion)',
'data_compromised': True,
'identity_theft_risk': 'Potential (PII Exposure)',
'legal_liabilities': 'Potential (HIPAA Violation)'},
'investigation_status': 'Disclosed (No Further Details)',
'post_incident_analysis': {'root_causes': 'Human Error (Improper Data '
'Handling + Lack of Access '
'Controls)'},
'references': [{'date_accessed': '2023-04-13',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Health Insurance '
'Portability and '
'Accountability Act '
'(HIPAA)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public Disclosure via California AG '
'Report',
'containment_measures': 'Website Decommissioned (2023-03-24)'},
'title': 'John Muir Health - Walnut Creek Medical Center Data Breach '
'(2021-2023)',
'type': 'Data Breach (Inadvertent Disclosure)',
'vulnerability_exploited': 'Human Error (Inadvertent Publication of Sensitive '
'Data)'}