Cyber Incident Victim: Hampton Roads Community Health Center
Date:
Dec 2018
Location:
United States of America
Summary
Hampton Roads Community Health Center experienced a server compromise exposing unencrypted patient information. The breach involved sensitive data including names, genders, dates of birth, health plan details, medical conditions, and in some cases addresses, Social Security numbers, payment card information, and driver's license numbers. The organization did not publicly disclose the number of affected individuals or the specific method of intrusion upon discovery of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2018, Hampton Roads Community Health Center discovered a compromise affecting a server containing unencrypted patient data. The organization did not publicly identify the method of intrusion or whether malicious actors exfiltrated or accessed specific records. The center delayed public notification until February 2019, when it posted a breach disclosure on its website. No details were provided regarding the timeline between initial detection, forensic investigation, or containment measures. The incident had not yet appeared on the U.S. Department of Health and Human Services’ breach reporting tool as of February 15, 2019, suggesting regulatory reporting might have been pending or incomplete at the time of the article’s publication. The center did not disclose the total number of affected individuals or whether all patients were impacted. No information was released regarding whether law enforcement was notified or involved in investigating the incident. The compromise duration—whether it was a single intrusion or prolonged unauthorized access—remained unspecified in available sources.
Exposed data included first and last names, genders, dates of birth, health plan details, member identification numbers, and medical condition information. For some individuals, the breach additionally involved addresses, Social Security numbers, credit card information, or driver’s license numbers. The center’s notification did not clarify whether all exposed elements applied uniformly across affected records or varied by patient. No remediation offers—such as credit monitoring services—were mentioned in the public disclosure. The absence of encryption on the compromised server heightened risks of identity theft, financial fraud, and medical privacy violations. Hampton Roads Community Health Center provided no information about system security changes implemented post-breach or whether third-party cybersecurity experts assisted in the response. Patients received no specifics about how attackers potentially exploited vulnerabilities to gain server access. The incident’s operational disruption to healthcare services, if any, was not addressed in the notification.