Cyber Incident Victim: Wisconsin Institute of Urology

The Wisconsin Institute of Urology (WIU) experienced a security incident involving unauthorized access to a protected employee email account. On May 26, 2021, WIU detected suspicious activity associated with the account, prompting an immediate investigation into the nature and scope of the compromise. The organization confirmed on June 9, 2021—fourteen days after initial detection—that unauthorized parties had gained access to the email account. This confirmation enabled WIU to begin assessing the contents of the compromised account to identify affected individuals and determine the specific types of protected health information (PHI) exposed. The breach stemmed directly from the account compromise, though the exact method of initial intrusion was not publicly disclosed.

WIU initiated notification procedures for impacted patients following its internal review of the breached email account’s contents. The institute did not disclose the number of affected individuals in its public statements, and the incident had not yet appeared on the U.S. Department of Health and Human Services’ breach reporting tool at the time of initial media coverage. The compromised data included PHI, though the precise categories (e.g., medical records, billing details) were not specified in available reports. WIU issued a press release outlining the incident’s discovery timeline and its response efforts, emphasizing its commitment to addressing the breach and safeguarding patient information. No additional technical containment measures or forensic findings were publicly detailed beyond the confirmation of unauthorized access and subsequent notification process.