Cyber Incident Victim: Henderson & Walton Women's Center
Date:
Sep 2022
Location:
United States of America
Summary
The Henderson & Walton Women's Center experienced a breach involving unauthorized access to an employee email account, compromising sensitive data of 34,306 patients including personal identifiers, medical information, and insurance details. The organization secured the affected account, confirmed no server access occurred, and implemented enhanced email encryption alongside automatic deletion protocols for emails containing patient data. Additional security measures were adopted to prevent future incidents, including plans to eliminate email-based sharing of personal information entirely.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Henderson & Walton Women’s Center (HWWC) experienced a cybersecurity incident involving unauthorized access to an employee email account, compromising the protected health information of 34,306 patients. The breach was discovered when the organization identified an intrusion into its email systems, though the exact start date of the unauthorized access was not disclosed in public notices. HWWC immediately secured the compromised email account and initiated an investigation, which concluded on June 24, 2022. The investigation determined that the threat actors accessed sensitive patient data stored within the email account, including names, dates of birth, Social Security numbers, medical information, health insurance details, driver’s license numbers, and state identification numbers. The compromised data varied by individual, with not all elements exposed for every affected patient. HWWC emphasized that the hackers did not gain access to its servers or other data storage facilities, limiting the breach to the compromised email account. All internal emails within HWWC’s system were encrypted at the time of the incident, though the notice did not specify whether this encryption prevented actual data access or exfiltration by the attackers.
In response to the incident, HWWC implemented additional security measures including enhanced protections for its encrypted email system and revised privacy policies. The organization introduced automatic deletion protocols for emails containing patient information, which are now purged after three days unless manually preserved. HWWC also announced plans to implement a new system designed to eliminate the sharing of personal information via email entirely. The breach notification did not reference involvement of law enforcement or external forensic investigators, nor did it mention whether credit monitoring services were offered to affected individuals. The delayed public disclosure timeline relative to the June investigation conclusion date was not explained in available sources, though the organization maintained that its response included comprehensive measures to prevent recurrence. No ransomware involvement or financial demands were cited in connection with this specific incident, distinguishing it from other contemporaneous healthcare breaches involving data extortion tactics.