Cyber Incident Victim: McLeod Health

On April 13, 2020, an unauthorized actor gained access to a McLeod Health employee email account, maintaining access until April 16, 2020. During this period, the attacker automatically downloaded the contents of the compromised email account. McLeod Health detected suspicious activity related to the account on June 23, 2020, prompting an investigation. The organization engaged in a detailed forensic review of its email environment following this discovery. On August 19, 2020—nearly four months after the initial breach—McLeod confirmed the unauthorized data exfiltration had occurred during the April intrusion window. The forensic analysis established that no other email accounts or systems beyond the single compromised account were affected during this incident.

McLeod Health immediately secured the breached email account upon confirming the unauthorized access and modified account settings across its environment to prevent similar incidents. The organization initiated a thorough review of the email account's contents to identify potentially exposed patient information, with plans to notify affected individuals once the analysis concluded. A dedicated call center (1-888-669-5940) was established to address patient inquiries during regular business hours. McLeod advised patients to monitor their healthcare statements for unrecognized services and contact providers if discrepancies arose. Internally, the organization modified settings that had permitted certain devices to bypass multi-factor authentication protocols and implemented additional employee training on email security practices. The investigation remained ongoing at the time of the November 30, 2020 public notice, with McLeod committing to provide updates as more information about the scope of impacted patient data became available.