Cyber Incident Victim: Wheeling Health Right

Wheeling Health Right (WHR), a West Virginia-based clinic providing healthcare services to low-income and uninsured individuals, discovered a cyberattack on January 18, 2022. The organization characterized the incident as a "highly-sophisticated cyberattack" that involved unauthorized system encryption and potential data access. WHR immediately engaged cybersecurity experts to investigate the scope and nature of the breach following detection. The forensic investigation confirmed that an unauthorized actor had successfully encrypted the clinic's systems during the attack timeframe. Analysis further revealed that the attacker potentially accessed and exfiltrated sensitive personal and health information belonging to patients and possibly other individuals associated with the clinic.

The compromised data included multiple categories of personally identifiable information and protected health information. Specifically exposed data elements encompassed full names, physical addresses, Social Security numbers, tax-related information, email addresses, telephone numbers, income details, driver's license numbers, medical record numbers, and unspecified health information. WHR initiated individual notification procedures for affected parties following completion of the investigation, though the total number of impacted individuals remained undisclosed in public reporting. The clinic's notification did not specify whether identity protection services were offered to affected individuals, unlike breach responses detailed for contemporaneous incidents at Horizon Actuarial Services and Central Indiana Orthopedics. No information regarding operational disruptions, ransom demands, or payment was disclosed in relation to the Wheeling Health Right incident.