Cyber Incident Victim: National Association of Community Health Centers

The National Association of Community Health Centers (NACHC) discovered on October 16, 2021, that certain organizational systems had become inaccessible. An investigation later determined the incident was a coordinated cyberattack that began on October 4, 2021, during which threat actors accessed and encrypted multiple servers. The forensic investigation concluded on December 13, 2021, but analysts could not confirm whether attackers exfiltrated data from the compromised infrastructure. NACHC initiated breach notifications on October 4, 2022, mailing letters to 935 current and former employees whose personal information resided on the affected systems. The notification letters were submitted to the Maine Attorney General's Office as part of regulatory compliance efforts.

Compromised servers contained extensive employee records including full names, addresses, dates of birth, salary details, tax information, and Social Security numbers. Additional exposed data encompassed insurance coverage types, beneficiary names, emergency contact information, and employment start dates. NACHC offered affected individuals 24 months of complementary identity protection services through a third-party provider. This package included credit monitoring, identity theft recovery services with full management, and an insurance reimbursement policy covering certain financial losses. The organization did not publicly disclose technical details about the attack vector, containment measures, or whether law enforcement was involved in the investigation. No evidence suggested patient health records or clinical operations systems were impacted during the incident.