Cyber Incident Victim: Org 05f6d5ab-7b80-4edf-b1ec-8ac6ec015343

On March 10, 2022, Val Verde Regional Medical Center (VVRMC) experienced a data security incident that disrupted its operational systems. The disruption prompted immediate action from the organization, which launched an internal investigation to assess the nature and scope of the breach. VVRMC engaged a third-party digital forensics firm to assist in determining the extent of unauthorized access and to identify compromised data types. The investigation revealed that threat actors potentially accessed sensitive personal and medical information during the incident. While the exact method of intrusion remained unspecified, the forensic analysis confirmed that the attackers targeted systems containing patient records and administrative data.

The types of information exposed varied by individual but included names, physical addresses, Social Security numbers, patient account numbers, and medical record numbers. The incident impacted 86,562 individuals, though VVRMC did not disclose whether the breach affected employees, patients, or other parties. On May 25, 2022, VVRMC formally notified the U.S. Department of Health and Human Services Office for Civil Rights (OCR) about the breach, fulfilling federal reporting obligations under HIPAA. The organization published a public notice detailing the incident timeline and the categories of exposed data but did not specify whether ransomware, phishing, or other attack vectors were involved. No evidence suggested data misuse or further dissemination of stolen information at the time of reporting. VVRMC’s response focused on containment, investigation, and regulatory compliance without disclosing additional remediation measures or system restoration efforts.