Cyber Incident Victim: Nevada Health Centers

On November 20, 2020, Nevada Health Centers discovered unauthorized access to an employee’s email account. The breach persisted until December 7, 2020, when the unauthorized activity was terminated. The organization initiated an investigation but could not conclusively determine whether patient data was accessed or exfiltrated during the intrusion period. Nevada Health Centers stated the attacker’s primary motivation appeared to target financial information related to the organization rather than protected health information (ePHI). Despite this assessment, the entity acknowledged that patient data stored within the compromised email account could have been exposed. Notifications were issued to an undisclosed number of affected patients, though the organization did not publicly specify the exact scope of individuals impacted.

The breach disclosure contained ambiguous language regarding the potential risks to patients, making it difficult for recipients to evaluate their personal exposure. Nevada Health Centers did not clarify whether forensic analysis confirmed actual data theft or merely confirmed unauthorized access to the email environment. No details were provided about the types of patient information potentially accessible in the email account, such as medical records, identifiers, or financial data. The incident timeline suggests a 17-day period between initial compromise and containment, with no public information available about detection methods or remediation steps taken. Nevada Health Centers’ communication emphasized uncertainty about the attacker’s intent while maintaining that ePHI was not the presumed target.