Cyber Incident Victim: Newman Regional Health
Date:
Jan 2021
Location:
United States of America
Summary
Newman Regional Health experienced unauthorized access to employee email accounts over a 10-month period, compromising protected health information of 52,224 patients. Exposed data included names, dates of birth, medical identifiers, contact details, health treatment or insurance information, and limited financial or Social Security numbers for some individuals. The organization secured affected accounts upon detection, initiated an investigation confirming exposed data types, and found no evidence of fraudulent misuse at notification. Additional security measures were implemented following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Newman Regional Health (NRH), operator of a 25-bed critical access hospital in Emporia, Kansas, experienced a breach involving unauthorized access to employee email accounts over a 10-month period between January 26, 2021, and November 23, 2021. The organization detected the intrusion and immediately secured the compromised accounts while initiating an investigation to assess the scope and nature of the incident. Forensic analysis confirmed on March 14, 2022, that the breached email accounts contained protected health information and employment-related data. Exposed patient information included full names, dates of birth, medical record/ID numbers, physical addresses, phone numbers, email addresses, and limited health, treatment, or insurance details. For employees, the breach exposed information collected during their employment or service engagements with NRH. A subset of affected individuals had more sensitive data compromised, including Social Security numbers and financial information. The specific data elements varied across individuals, with no uniform pattern of exposure identified across all victims.
NRH began notifying 52,224 affected patients following the completion of the forensic review, though the exact notification date wasn't specified in available sources. The organization publicly disclosed the breach through its website, emphasizing that no evidence of fraudulent activity stemming from the incident had been identified at the time of notification. In response to the breach, NRH implemented additional security measures to strengthen its email systems and prevent similar incidents, though technical specifics of these enhancements weren't detailed publicly. The breach investigation timeline shows a 16-week period between the confirmed understanding of exposed data elements (March 14, 2022) and the public reporting of the incident (April 18, 2022). While the breach duration spanned nearly a year, the notification letters clarified that different email accounts were compromised at various times throughout the 10-month intrusion window rather than through a single continuous attack.