Cyber Incident Victim: Penn Highlands Brookville

In October 2014, Penn Highlands Brookville (PHB) in Pennsylvania disclosed a cybersecurity incident involving unauthorized access to patient records associated with Dr. Barry Snyder’s practice. The breach did not originate from PHB’s own systems or directly impact Dr. Snyder’s operations but instead stemmed from a compromise at an unnamed third-party vendor responsible for hosting the affected patient data. At the time of the initial disclosure, PHB provided limited details about the incident, declining to identify the external service provider or specify the number of individuals impacted. The lack of immediate transparency left patients and stakeholders with unresolved questions about the scope and responsible parties involved in the breach.

Updated information emerged on November 7, 2014, when PHB’s breach appeared in the U.S. Department of Health and Human Services (HHS) public breach reporting tool. This filing confirmed M&M Computer Services, an Ohio-based firm, as the compromised third-party vendor entrusted with storing Dr. Snyder’s patient records. The incident affected 4,500 patients, all of whom received breach notifications following the investigation. The disclosure through HHS marked the first official acknowledgment of both the vendor’s identity and the scale of impacted individuals. No additional technical details about the attack vector, data exfiltration methods, or containment measures were publicly released by PHB or M&M Computer Services. The incident underscored the risks associated with third-party data management in healthcare and highlighted delays in initial breach transparency.