Cyber Incident Victim: Hendricks Regional Health

On November 1, 2023, Hendricks Regional Health experienced a disruption to its public website, rendering it inaccessible to users. Hospital leadership attributed the outage to a cyberattack targeting an external third-party vendor responsible for hosting and maintaining the website. The organization publicly confirmed the incident on the same day the website became unavailable, indicating no prior awareness of the vulnerability exploited in the attack. While the technical specifics of the attack vector and the identity of the threat actor remained undisclosed, the hospital emphasized the compromised system’s isolation from its internal networks and patient-facing platforms. This separation was cited as a critical factor in limiting the incident’s operational impact, as electronic health records, appointment scheduling systems, and other clinical or administrative functions reportedly continued operating without interruption.

The hospital’s response focused on public communication and risk assessment. Leaders explicitly stated they had no evidence suggesting unauthorized access to patient data or other sensitive information, citing the architectural segregation between the breached vendor system and their own infrastructure as the basis for this assessment. No containment measures were disclosed beyond the inherent isolation of the affected vendor system, and the hospital did not specify whether law enforcement or regulatory agencies had been engaged. Restoration timelines remained undefined as of the initial announcement, with no subsequent public updates provided in the immediate aftermath. The incident primarily affected public access to general hospital information through the website, with no reported disruptions to clinical operations, patient care delivery, or internal communications systems.