Cyber Incident Victim: Mena Regional Health System
Date:
Nov 2022
Location:
United States of America
Summary
Mena Regional Health System experienced a data breach involving unauthorized access to its computer systems, resulting in the exposure of sensitive patient information. The compromised data included names, Social Security numbers, dates of birth, driver's license numbers, government IDs, financial account details, medical records, diagnoses, treatment information, lab results, prescriptions, and health insurance data. The healthcare provider initiated an investigation with cybersecurity experts and law enforcement after detecting the intrusion, confirming that patient data was accessed and exfiltrated. Affected individuals received notification letters detailing the incident and potential risks of identity theft or fraud stemming from the unauthorized disclosure of their protected health and personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Mena Regional Health System (MRHS), a healthcare provider based in Mena, Arkansas, reported a data breach to the U.S. Department of Health and Human Services Office for Civil Rights on November 22, 2022. The breach occurred after MRHS discovered that an unauthorized party had gained access to its computer systems and removed certain data containing patients' confidential information. Upon learning of the incident, MRHS immediately alerted law enforcement agencies and initiated an internal investigation with the assistance of cybersecurity experts to determine the scope and nature of the breach. The investigation confirmed that the unauthorized actor accessed portions of MRHS's computer systems storing sensitive patient data, though the exact method of initial access or duration of compromise was not disclosed in public filings. Following this confirmation, MRHS conducted a comprehensive review of the affected files to identify both the types of compromised information and the specific individuals impacted by the incident.
The compromised data included first and last names, Social Security numbers, dates of birth, driver's license numbers, government identification numbers, financial account information, medical record numbers, patient account numbers, medical diagnoses, treatment details, provider names, lab results, prescription information, and health insurance details. On November 22, 2022, concurrent with its regulatory filing, MRHS began notifying all affected individuals through data breach letters that outlined the nature of the exposed information and provided guidance on protective measures against identity theft and fraud. The healthcare system, which serves Polk County, western Arkansas, and eastern Oklahoma through acute care facilities, specialty clinics, and behavioral health centers, did not disclose the exact number of affected patients in its public notices. With 76 employees and approximately $14 million in annual revenue, MRHS's breach exposed multiple categories of sensitive health and identification data that could potentially facilitate various forms of financial fraud and medical identity theft against impacted patients. The organization's public communications emphasized the completion of their forensic investigation and notification process but did not specify whether system security enhancements were implemented following the incident.