Cyber Incident Victim: Catawba Valley Medical Center

On August 13, 2018, Catawba Valley Medical Center discovered that an unauthorized individual may have accessed an employee's email account. The organization immediately secured the compromised account and initiated an investigation with assistance from a computer forensic firm. By August 24, 2018, the investigation revealed that three separate email accounts had potentially been breached between July 4, 2018 and August 17, 2018. The compromised accounts contained patient information including names, dates of birth, health service details from CVMC, health insurance information, and Social Security numbers for some individuals. There was no evidence suggesting any misuse of the exposed information. The medical center determined the incident constituted a phishing attack that enabled unauthorized access to the email systems during this seven-week period.

CVMC began mailing notification letters to affected patients on October 12, 2018, nearly two months after confirming the breach scope. They established a dedicated call center operational Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern time to address patient concerns, advising recipients to monitor insurance statements for unauthorized services. As corrective measures, the institution implemented enhanced email security controls, upgraded hardware and software platforms, and expanded employee cybersecurity education programs. The organization emphasized its commitment to protecting patient information while acknowledging the inconvenience caused by the incident, completing patient notifications through physical mail with a follow-up deadline of November 15, 2018 for those who hadn't received letters by that date.