Cyber Incident Victim: True Health New Mexico
Date:
Oct 2021
Location:
United States of America
Summary
A healthcare insurer serving New Mexico residents experienced a cyberattack involving unauthorized third-party access to its IT systems, potentially compromising personal data of over 62,000 individuals. Exposed information included names, birthdates, addresses, email contacts, insurance details, medical records, and Social Security numbers. The organization reported no evidence of data misuse but provided affected individuals with two years of complimentary credit monitoring services. This breach was disclosed through official HIPAA reporting channels amid a broader surge of healthcare sector security incidents nationally during the same period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2021, True Health New Mexico, a healthcare insurer serving employers across New Mexico, experienced a cyber-attack involving unauthorized third-party access to its IT systems. The breach was detected by security professionals who determined that accessed files contained sensitive personally identifiable information of current and former members, select providers, and some former members of New Mexico Health Connections. The compromised data included policyholders' full names, dates of birth, home addresses, email addresses, insurance details, medical information, and Social Security numbers. The organization reported the incident to the U.S. Department of Health and Human Services through the HIPAA Breach Portal, disclosing that over 62,000 New Mexico residents were affected. True Health New Mexico issued breach notifications to all potentially impacted individuals but stated no evidence existed that any stolen information had been misused following the intrusion. The attack occurred during a period of heightened healthcare sector breaches, with federal authorities receiving over 30 HIPAA breach notifications nationwide in November 2021 alone.
True Health New Mexico responded by offering all affected individuals a complementary 24-month credit monitoring membership to mitigate potential financial fraud risks stemming from the exposure of Social Security numbers and insurance details. The company's public notification emphasized the containment of the incident to early October system access without further elaboration on technical remediation steps. The breach impacted exclusively New Mexico residents across True Health's customer base, including both individual policyholders and employer-sponsored plans. While the organization confirmed the involvement of an external threat actor, it did not disclose the attack vector, duration of system access, or whether ransomware or data exfiltration occurred. The incident marked one of multiple healthcare data breaches reported to federal regulators during late 2021, though True Health maintained operations without reported service disruptions throughout the investigation and notification process.