Cyber Incident Victim: Elkins Rehabilitation & Care Center
Date:
Feb 2019
Location:
United States of America
Summary
A healthcare facility experienced unauthorized access to employee email accounts due to malware infection, compromising systems over several days. The breach potentially exposed personal information of residents and employees, including names combined with protected health details, Social Security numbers, or driver’s license data. Following discovery, the organization engaged forensic experts to investigate, remediated the infection by resetting credentials and replacing affected hardware, and implemented enhanced security measures such as updated anti-malware tools and staff training. After confirming the scope of impacted data, notifications were distributed offering complimentary credit monitoring and identity theft protection services. No evidence of actual misuse was identified, but precautionary notifications were issued to affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Elkins Rehabilitation & Care Center (ERCC) detected evidence of unauthorized access to a limited number of employee email accounts in February 2019. The organization immediately engaged its information technology team to investigate, leading to the discovery of malware infections across several systems within ERCC’s computer network. The malware activity occurred between February 4 and February 7, 2019. ERCC’s IT team promptly contained the incident by cleaning the infection and resetting all user passwords. Subsequent analysis identified the malware variant as possessing email extraction capabilities, prompting ERCC to enlist an e-discovery specialist to examine the contents of compromised accounts. This forensic review, completed on July 1, 2020, determined the affected email accounts potentially contained personal information belonging to current and former residents and employees.
The compromised data included individuals’ first and last names combined with one or more sensitive attributes: limited protected health information, Social Security numbers, or driver’s license numbers. ERCC confirmed no evidence of attempted or actual misuse of the exposed information but initiated notifications via first-class mail to potentially affected individuals starting July 2020. The organization offered complimentary identity theft restoration and credit monitoring services through Kroll for a specified period, establishing a dedicated call center for inquiries. Remediation efforts included replacing infected hard drives, updating anti-virus and anti-malware software across all systems, implementing ongoing staff security awareness training, and notifying relevant government regulators. ERCC characterized its notification delay as necessitated by the exhaustive email account review process required to identify impacted parties and determine notification obligations.