Cyber Incident Victim: Grant Regional Health Center

On or around April 17, 2023, unauthorized individuals gained access to the IT systems of Mountain View Hospital and Idaho Falls Community Hospital. The intrusion was not detected until Memorial Day, which fell on May 29, 2023. Upon discovery of the cyberattack, the hospitals immediately implemented emergency protocols. As a precautionary measure, ambulances were diverted to other healthcare facilities to ensure patient safety and continuity of care. This ambulance diversion remained in effect through the following Wednesday due to persistent network issues stemming from the attack. Despite the network outage, both hospitals remained open and operational. Clinical staff manually recorded patient information using paper-based systems to maintain essential healthcare services.

Concurrently, several clinics in rural Idaho operated by the same entity were also impacted. One clinic, Mountain View RediCare, made the decision to temporarily close its doors entirely to facilitate the remediation of the attack. All other affiliated clinics remained open but were forced to operate at a reduced capacity, offering limited services to patients. The forensic investigation into the incident determined that the hackers maintained unauthorized access to the hospital systems for a prolonged period, from the initial breach date of April 17, 2023, until the date of detection on May 29, 2023. During this six-week period, the threat actors accessed and exfiltrated files containing sensitive patient information.

The compromised files contained a extensive array of protected health information. The data elements exposed included patient names, contact information, demographic details, dates of birth, medical record numbers, and patient account numbers. Diagnosis and treatment information, prescription details, provider names, dates of service, facilities of service, and health insurance information were also accessed and removed from the systems. For a limited subset of patients, more sensitive identifiers including Social Security numbers and driver's license information were stolen. The investigation confirmed that files were removed from the IT environment.

In response to the confirmed data exposure, Mountain View Hospital undertook patient notification efforts. Notification letters were sent to 1,043 affected individuals on July 3, 2023. For those individuals whose Social Security numbers and/or driver's license information were involved in the incident, the hospital offered complimentary credit monitoring and identity theft protection services to help safeguard against potential misuse of their information. Throughout the incident response, the hospitals prioritized patient safety and the restoration of critical systems. IT and security teams worked around the clock to clean affected systems, restore access to computer networks, and resolve the ongoing network issues that had necessitated the manual recording of patient data and the diversion of ambulances.

The incident caused significant operational disruption, requiring a shift to manual processes for patient registration and record-keeping. The need to divert ambulances indicated a substantial impact on the emergency medical services ecosystem in the region, placing additional strain on neighboring healthcare facilities. The temporary closure of the Mountain View RediCare clinic and the reduced services at other clinics further limited healthcare access for patients in the affected rural communities. The full scope of the attack encompassed unauthorized access and data exfiltration over a 42-day period, impacting two hospitals and multiple clinics under the same operator. The forensic investigation was crucial in determining the timeline of the attack and the specific types of patient data that were accessed and acquired by the unauthorized parties.