Cyber Incident Victim: Crossroads Health

Duncan Regional Hospital (DRH), a not-for-profit community hospital in Oklahoma, experienced a data security incident discovered on January 20, 2022, which disrupted access to certain systems. The hospital promptly disconnected all systems from external access and activated its incident response protocols upon detection. An investigation followed to determine the nature and scope of the breach, though the specific attack vector—whether ransomware, data exfiltration, or another method—remained unconfirmed. The incident potentially exposed sensitive patient information, including names, Social Security numbers, treatment details, medical appointment records, and birth dates. Employee data was also compromised, with W-2 forms containing names, birth dates, Social Security numbers, and addresses at risk. The breach impacted over 92,000 individuals, as reported to the Maine Attorney General’s Office, though the incident had not yet appeared on the Office for Civil Rights (OCR) breach portal at the time of reporting.

DRH implemented multiple corrective measures to address the breach and prevent recurrence. These actions included changing all system passwords, tightening firewall restrictions, and deploying endpoint threat detection and response monitoring software across workstations and servers. The hospital notified affected individuals via mail, outlining the exposed data types and offering complimentary credit monitoring services through Experian. No evidence suggested misuse of the compromised data at the time of disclosure. The hospital’s response emphasized containment, system hardening, and transparency with impacted parties, though the investigation did not publicly attribute the incident to a specific threat actor or confirm whether data was exfiltrated or merely accessed.