Cyber Incident Victim: PVHS-ICM Employee Health and Wellness
Date:
May 2017
Location:
United States of America
Summary
A ransomware attack compromised a server previously used by a healthcare clinic now operated by PVHS-ICM Employee Health and Wellness, which had been inactive for several years prior to the incident. Forensic analysis confirmed unauthorized access to deploy ransomware but found no evidence that patient data—including names, Social Security numbers, medical records, and health insurance details—was accessed or exfiltrated. Notification was issued as a precaution due to the presence of sensitive information on the isolated server, which contained no financial data or records from recent operations. The breach was confined to a single physical location with no impact on other systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 4, 2017, PVHS-ICM Employee Health and Wellness LLC discovered a potential ransomware infection affecting a computer server at its Fort Collins, Colorado clinic located at 2211 S. College Ave. The compromised server had previously been utilized by Miramont Urgent Care prior to PVHS-ICM assuming operations of the clinic in September 2014, and it had remained inactive since that transition. An internal investigation initiated upon discovery revealed that an unauthorized individual had gained access to the server specifically to deploy ransomware. Forensic experts engaged by PVHS-ICM confirmed the ransomware infection but found no evidence that any personal or medical information stored on the server had been accessed, viewed, copied, or exfiltrated during the incident. The server exclusively contained historical patient records from individuals treated at the clinic before September 23, 2014, with no connection to PVHS-ICM's active systems or other clinic locations. Data present on the server included patient names, addresses, Social Security numbers, medical diagnosis and treatment details, health insurance policy numbers, and demographic information, though no financial data was stored on the affected system.
PVHS-ICM issued breach notifications to affected individuals despite the absence of confirmed data access or theft, citing an abundance of caution and potential regulatory obligations. The notification clarified the incident's isolation to the single physical server at the Fort Collins location, emphasizing that no other clinics or systems within PVHS-ICM's network were impacted. Patients received information about protective measures they could undertake alongside resources offered by PVHS-ICM to address potential concerns. The organization's forensic analysis confirmed the server's physical and network isolation since September 2014, limiting the temporal scope of exposed data to records created before that date. No operational disruptions or subsequent security events stemming from the incident were reported in relation to PVHS-ICM's current systems or patient care activities.