Cyber Incident Victim: Valley View Hospital

On January 19, 2022, Valley View Hospital in Colorado discovered unauthorized access to four employee email accounts following a phishing scam. The hospital immediately secured the compromised accounts to prevent further intrusion and engaged a forensic security firm to investigate the incident’s scope and confirm the integrity of its email and computer systems. The investigation determined the unauthorized third party gained access through phishing tactics, though the exact timing of the initial breach was not publicly disclosed. By March 29, 2022, the hospital confirmed the accessed accounts contained personal information belonging to patients and employees, though they stated no evidence indicated data was exfiltrated or removed from their systems. The incident potentially impacted approximately 21,000 individuals, including both hospital staff and patients, making it a significant compromise of sensitive data.

Valley View began mailing notification letters to affected individuals on March 19, 2022—ten days before concluding the accounts contained personal information—and established a dedicated toll-free call center for inquiries. The hospital emphasized its commitment to privacy and security in public statements, acknowledging the incident’s severity while asserting systems were secured post-discovery. No specifics regarding the types of compromised data (e.g., medical records, Social Security numbers) were disclosed in available sources, nor were technical details about the phishing vectors or attacker identity revealed. The hospital’s substitute notice and press release framed the event as a contained intrusion with no evidence of data misuse, though the potential risk to 21,000 individuals underscored the operational and reputational consequences. Valley View did not report regulatory fines or legal actions stemming from the breach in the provided materials.