Cyber Incident Victim: Hendrick Health System

Hendrick Health System identified a network security breach on November 20, 2020, following unauthorized access to its computer systems between October 10 and November 9 of that year. The organization determined that patient information exposed during the incident included names, Social Security numbers, demographic details, and limited information about care provided at their facilities. Electronic health records systems remained unaffected by the breach, preserving the integrity of core medical documentation. The security incident specifically impacted operations at Hendrick Medical Center and Hendrick Clinic, while Hendrick Medical Center South and Hendrick Medical Center Brownwood systems were not compromised. Hendrick initiated patient notifications regarding the data exposure beginning October 10, 2020, through public statements and direct communications, though the breach had not yet appeared on official HHS breach reporting tools at the time of reporting.

The breach caused operational disruptions across affected facilities, necessitating system containment measures during the investigation period. Forensic analysis confirmed the exposure window spanned approximately one month before detection, though no evidence emerged suggesting the compromised data appeared on ransomware leak sites operated by cybercriminal groups. Hendrick maintained transparency through public disclosures on their official website starting in November 2020, prior to formal regulatory notifications. The organization focused notification efforts on individuals whose sensitive personal information was potentially accessible during the intrusion, while confirming unaffected facilities continued normal operations throughout the incident period. System recovery efforts proceeded concurrently with ongoing investigations to determine the full scope of impacted data and systems.