Cyber Incident Victim: Rutland Regional Medical Center

On December 21, 2018, a Rutland Regional Medical Center employee identified a high volume of spam emails originating from their email account, prompting them to report the activity to the IT Department on December 29, 2018. The IT Department confirmed unauthorized access to the employee's account by December 31, 2018, leading to immediate password changes and account locking. The medical center engaged third-party forensic investigators to assess the breach, with the ongoing investigation revealing unauthorized access to nine employee email accounts between November 2, 2018, and February 6, 2019. The compromise was confined exclusively to these email accounts, with no evidence of intrusion into Electronic Medical Record systems or other internal clinical or administrative systems. The attackers maintained intermittent access over this three-month period, though the exact methods of initial compromise were not publicly disclosed.

The forensic investigation confirmed on February 6, 2019, that exposed information within the email accounts potentially included patient names, contact details, Social Security numbers, financial data, dates of birth, medical record numbers, diagnosis and treatment information, and health insurance details. Rutland Regional could not confirm whether attackers specifically viewed or exfiltrated individual records but issued notifications on February 20, 2019, to all potentially affected patients out of caution. The medical center reported the incident to relevant regulators and implemented unspecified measures to strengthen email system security. No ransomware deployment, data destruction, or demands were mentioned in the public disclosure. The incident’s operational impact appeared limited to email communications, with no disruption to clinical care systems or broader network infrastructure reported.