Cyber Incident Victim: Scenic Bluffs Community Health Centers

On February 28, 2018, Scenic Bluffs Community Health Centers experienced unauthorized access to a single staff email account by cyber attackers. The breach was discovered on March 1, 2018, when the organization identified that an unauthorized party had compromised the account and established an email forwarding mechanism. This forwarding rule resulted in 44 emails being diverted externally before Scenic Bluffs disabled the unauthorized setting. Forensic analysis confirmed none of these forwarded emails contained protected health information (PHI), though the attackers potentially viewed other messages containing personally identifiable information (PII). The compromised account was immediately deactivated following detection, effectively containing the incident. Scenic Bluffs characterized the intrusion as "limited" in scope, with no evidence suggesting broader system penetration beyond the targeted email account.

Scenic Bluffs notified 2,889 potentially affected patients via mailed letters on April 23, 2018, despite confirming no actual PHI exposure. CEO Mari Freiberg stated this notification complied with federal privacy regulations requiring disclosure based on potential access to protected information. The investigation revealed the attackers may have obtained PII, though specific data elements were not detailed publicly. Existing security safeguards were maintained throughout the incident, but Scenic Bluffs initiated additional measures to strengthen operational security and reduce future risks. The organization engaged an external cybersecurity firm to evaluate systems and implement evolving threat countermeasures. Patients were directed to contact a dedicated phone line staffed during business hours for breach-related inquiries, with Scenic Bluffs emphasizing resolution of the incident upon account closure and forwarding rule termination.