Cyber Incident Victim: Black River Medical Center
Date:
Apr 2018
Location:
United States of America
Summary
Black River Medical Center experienced a phishing attack compromising an employee's email account, potentially exposing patient names, addresses, phone numbers, and limited treatment information, though no Social Security numbers or financial data were involved. The organization found no evidence of actual access, viewing, or misuse of the data but proactively notified affected individuals, providing a dedicated call center and online resources for additional information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 23, 2018, Black River Medical Center in Missouri discovered that an employee’s email account had been compromised through a phishing attack. The organization’s IT department immediately initiated an investigation to assess potential risks to patient information. The investigation confirmed that an unauthorized third party had gained access to the email account between an unspecified date and April 23. While the intruder could have viewed or accessed the contents of the compromised account, the medical center found no conclusive evidence that patient data was actually accessed, copied, or misused. The exposed information included patients’ names, addresses, phone numbers, and limited treatment details in some cases. Notably, the investigation confirmed that Social Security numbers and financial or billing information were not stored in the affected email account, limiting the scope of potential harm.
Black River Medical Center mailed notification letters to an unspecified number of potentially affected patients on June 13, 2018, approximately seven weeks after detecting the breach. The letters described the nature of the incident, clarified the types of data involved, and provided a toll-free call center (1-800-939-4170) operational Monday through Friday from 7:00 AM to 7:00 PM Central Time for additional inquiries. Patients were also directed to a dedicated webpage for further information. The organization reiterated that no evidence of actual data access or misuse had been identified but undertook notification as a precautionary measure. The incident was not yet listed on the U.S. Department of Health and Human Services’ public breach tool at the time of the June 13 public disclosure, with the article noting uncertainty about whether this reflected a small affected population (under 500 individuals) or administrative delays in federal reporting. Black River Medical Center emphasized patient privacy as a priority but did not disclose specific remediation steps beyond the investigation and notifications.