Cyber Incident Victim: NorthCare

On May 29, 2021, attackers breached the network of NorthCare, an Oklahoma City-based mental health clinic, deploying ransomware that encrypted files and disrupted operations. The organization detected suspicious network activity on June 1, 2021, confirming unauthorized access coincided with the ransomware deployment. Attackers rapidly executed encryption to block access to files and demanded payment for decryption keys. While NorthCare could not prevent file encryption, it restored systems using backups without paying the ransom. Forensic analysis revealed the compromised network segments contained protected health information (PHI) of patients. Though investigators found no definitive evidence of data exfiltration, NorthCare operated under the assumption that attackers accessed patient records. The potentially compromised data included full names, addresses, dates of birth, medical diagnoses, and Social Security numbers. The breach impacted 127,883 individuals according to notifications submitted to the Maine attorney general.

NorthCare initiated containment measures immediately upon detecting the incident and engaged third-party forensic specialists to investigate the breach scope and assist remediation. The Federal Bureau of Investigation received formal notification of the attack. Technical security enhancements were implemented to restrict network access and strengthen system defenses. As a precaution against potential identity theft or fraud stemming from exposed PHI, NorthCare provided affected individuals with 12 months of complimentary identity monitoring, fraud consultation, and identity theft restoration services. The organization emphasized ongoing collaboration with cybersecurity experts to mitigate future risks while maintaining care continuity throughout recovery operations. No operational downtime or care interruptions were reported due to the successful restoration from backups.