Cyber Incident Victim: Hutchinson Clinic

On December 21, 2022, Hutchinson Clinic, P.A. detected suspicious activity within its computer systems, prompting immediate system security measures and an internal investigation supported by third-party forensic specialists. The investigation determined that an unauthorized party accessed certain network files between December 19 and December 21, 2022. Analysis confirmed these files contained confidential patient information, leading to a comprehensive review of compromised data. The breach exposed sensitive patient details including full names, contact information, dates of birth, Social Security numbers, driver’s license numbers, health insurance policy details, medical record numbers, medical histories, diagnoses, treatment records, and associated physician names. Hutchinson Clinic completed its assessment of impacted individuals and compromised data categories before initiating consumer notifications.

The healthcare provider publicly disclosed the breach via its website notice on February 17, 2023, concurrently mailing individualized data breach notifications to affected patients. The compromised information varied per individual but encompassed multiple categories of personally identifiable and protected health information. As a multi-location provider serving patients across three Kansas facilities with over 100 physicians and 600 staff members, the breach potentially impacted a significant patient population. No specific patient count or operational disruption details were disclosed in the notification. The forensic investigation confirmed data exposure but did not specify whether information was exfiltrated or merely accessed. Hutchinson Clinic's response focused on containment through system security measures, forensic analysis to determine breach scope, and regulatory-compliant patient notifications within two months of incident discovery.