Cyber Incident Victim: Central Utah Clinic

In June 2014, Central Utah Clinic in Provo, Utah, experienced a server compromise that potentially exposed the personal health information of 31,677 patients. Unauthorized intruders breached a single server containing patient data, including names, dates of birth, Social Security numbers, addresses, and phone numbers. The compromised server also stored a subset of written imaging and radiology reports dating back to 2010 and earlier. The clinic confirmed the intrusion through internal investigation but found no evidence that personal information was actually viewed or copied to unauthorized locations. Other clinic servers remained secure during the incident, limiting the breach's scope to one system. The compromised data represented a fraction of the clinic's patient records, with no indication that medical histories or active treatment plans were accessed.

Central Utah Clinic isolated the affected server immediately upon discovering the breach and launched an investigation to determine the intrusion's extent. The clinic notified all impacted patients by mail in September 2014 and reported the incident to appropriate authorities. As a precautionary measure, the organization offered free personal credit monitoring services to affected individuals despite finding no evidence of data exfiltration. CEO Scott Barlow emphasized the clinic's commitment to transparency in a public statement, acknowledging the breach while clarifying that patient information showed no signs of misuse. The clinic maintained standard operations throughout the response, with no reported disruptions to patient care services following server isolation.