Cyber Incident Victim: First Street Family Health Center
Date:
Jul 2022
Location:
United States of America
Summary
First Street Family Health experienced a destructive cyberattack involving unauthorized system access, resulting in exfiltration and deletion of patient records without ransomware encryption. Attackers destroyed electronic medical records and backups covering over a year of data, causing permanent loss of information including sensitive details such as Social Security numbers, medical diagnoses, treatment details, and insurance information. While no evidence confirmed theft of the destroyed records, medical referral forms stored on compromised systems were potentially accessed but later restored from intact backups. The breach impacted 7,310 individuals who received notifications and credit monitoring services. The organization engaged cybersecurity experts to investigate and implement enhanced security measures following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 16, 2022, First Street Family Health detected unauthorized access to its computer systems, later determined to have originated on July 5, 2022. The attackers exfiltrated and subsequently deleted patient files from the Salida, CO-based healthcare provider without deploying ransomware. This attack resulted in the permanent loss of electronic medical records spanning June 28, 2021, to July 15, 2022, as both primary records and backups were destroyed. While investigators found no evidence that these medical records were stolen prior to deletion, medical referral forms stored on compromised systems may have been accessed or acquired. The breach exposed sensitive patient information including full names, addresses, birth dates, Social Security numbers, health insurance details, medical diagnoses, lab results, medications, and billing information. The organization successfully restored referral forms from unaffected backups but could not recover the destroyed medical records. Unauthorized access was terminated on July 16 upon detection, limiting further data manipulation.
First Street Family Health engaged a national cybersecurity firm to investigate the incident and conduct a comprehensive security review. On August 26, 2022, the provider mailed notification letters to 7,310 affected individuals, as subsequently reported to the HHS Office for Civil Rights. The notifications disclosed the scope of compromised data and offered complimentary credit monitoring through CyberScout’s service. Organizational response included implementing additional security measures based on the cybersecurity firm’s recommendations to prevent recurrence. No extortion demands or publication threats were referenced in the public disclosure, though the attack methodology aligned with emerging patterns of data theft followed by destructive deletion. The permanent loss of over a year’s worth of medical records created operational challenges for patient care continuity, while the exposure of sensitive identifiers necessitated protective services for impacted individuals.