Cyber Incident Victim: Westminster College

Westminster College in Salt Lake City, Utah, notified individuals of a data breach stemming from a phishing attack that compromised eleven employee email accounts. The incident occurred between May 1, 2018, and July 21, 2018, though the exact date of initial attacker access remained unspecified in the college’s notification to the Montana Attorney General’s Office. Exposed information included names, addresses, dates of birth, Social Security Numbers, bank account numbers, credit card numbers, driver’s license numbers, passport numbers, and protected health information. The notification did not clarify whether impacted individuals were exclusively employees or included students, nor did it disclose the total number of affected parties. The college concluded its investigation and issued notifications to affected individuals within 30 days of the investigation’s completion, consistent with its stated timeline.

The college provided mitigation services to impacted individuals, though specific remediation steps taken internally were not detailed in the notification. The presence of protected health information raised questions about compliance with HIPAA and HITECH reporting requirements, particularly whether the incident was reported to the U.S. Department of Health and Human Services within the mandated 60-day window following discovery. The article noted uncertainty regarding whether the breach met the threshold for HHS disclosure, which applies to incidents affecting 500 or more individuals. No confirmation was provided about whether Westminster College reported the breach to HHS or the date on which the institution first discovered the compromise. The college’s notification to the Montana Attorney General listed July 21, 2018, as the incident’s conclusion date but did not specify when the phishing attacks were initially detected or contained.