Cyber Incident Victim: Cheyenne Regional Medical Center
Date:
Mar 2019
Location:
United States of America
Summary
Cheyenne Regional Medical Center experienced unauthorized access to multiple employee email accounts over several weeks, with attackers potentially targeting payroll information and patient data exchanged for administrative purposes. The investigation could not confirm whether specific files were viewed but determined compromised accounts contained patient names, dates of birth, Social Security numbers, driver's licenses, medical details, treatment information, health insurance data, and limited financial records. Notification delays occurred due to challenges in reviewing affected accounts and identifying impacted individuals, though the organization subsequently offered credit monitoring and identity protection services to those affected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Cheyenne Regional Medical Center (CRMC) in Wyoming detected suspicious activity involving employee payroll accounts on or around April 5, 2019, prompting an internal investigation. The investigation revealed unauthorized access to multiple employee email accounts between March 27, 2019, and April 8, 2019. While forensic analysis confirmed the intrusion timeline, investigators could not determine which specific files or messages were accessed or viewed during the compromise period. CRMC assessed that the attackers' primary objective was likely to obtain employee payroll information, though they acknowledged the possibility that patient data within the email accounts may also have been targeted. The organization completed its review of all impacted email accounts on November 1, 2019, but faced delays in notifying affected parties due to challenges compiling current contact information for notification recipients. This timeline resulted in public disclosure occurring approximately eight months after initial detection.
The compromised email accounts contained patient information due to CRMC staff exchanging clinical and administrative details through email for consultations and operational purposes, despite organizational policies requiring secure storage in electronic health records systems. Exposed data potentially included patient names, dates of birth, Social Security numbers, driver's license numbers, treatment dates, provider names, medical record numbers, diagnosis details, treatment information, health insurance data, and limited instances of credit card or financial account information. CRMC engaged Kroll to provide identity monitoring services to affected individuals and published a detailed incident timeline on its website, explicitly addressing the extended notification period relative to HHS's 60-day breach notification guideline. The public notice emphasized that all email exchanges containing patient information followed organizational security procedures at the time of transmission, though it did not specify the number of affected individuals or elaborate on technical containment measures implemented following the incident.