Cyber Incident Victim: Spokane Regional Health District

On or around February 24, 2022, the Spokane Regional Health District (SRHD) experienced a cybersecurity incident involving a phishing attack. The attack compromised sensitive health information belonging to 1,260 individuals. Exposed data included personal health records alongside other personally identifiable information, though the specific technical vector of the phishing campaign and the exact duration of unauthorized access were not publicly detailed in disclosures. The incident represented a breach of protected health information (PHI) under healthcare privacy regulations, necessitating formal notification to affected individuals. SRHD did not characterize the incident as ransomware or malware-related, focusing instead on the deceptive credential-compromise nature of the phishing event.

In response to the breach, SRHD implemented multi-factor authentication (MFA) across relevant systems to strengthen access controls and reduce the risk of unauthorized entry via compromised credentials. The organization also enhanced its cybersecurity training programs, emphasizing phishing recognition and reporting protocols for staff. While SRHD did not specify whether the phishing attack directly targeted employees or third-party vendors, the mitigation measures focused on internal human factors. The district confirmed the exposure of sensitive health data but did not report evidence of further misuse of the compromised information. No ransomware payments or data destruction were mentioned in connection with the incident. The breach notification process adhered to regulatory requirements for incidents affecting protected health information.