Cyber Incident Victim: Independent Case Management
Date:
Dec 2021
Location:
United States of America
Summary
A ransomware attack encrypted servers at a healthcare provider, compromising historical worker and customer information including names, addresses, birth dates, health records, insurance details, Medicaid numbers, and Social Security numbers; detection occurred months after the encryption, prompting isolation of affected systems and implementation of multifactor authentication alongside enhanced monitoring. Separately, a business email compromise at another healthcare services firm exposed protected health information—such as medical data, financial account details, and Social Security numbers—through unauthorized access to a single email account, leading to strengthened email security controls and identity protection offerings for impacted individuals. Both incidents involved unauthorized access to sensitive data but were contained to specific systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 24, 2021, attackers encrypted three servers belonging to Independent Case Management (ICM), a Little Rock, Arkansas-based provider of home and community-based assistance for individuals with mental and developmental disabilities. The attackers left a ransom note on the compromised systems, though ICM did not detect the intrusion until nearly six months later on June 15, 2022. These servers exclusively stored historical employee and client records, containing protected health information (PHI) and personally identifiable information (PII) for 3,307 individuals. Upon discovery, ICM immediately engaged a third-party IT firm to isolate the affected servers, conduct security scans, and block all access to prevent further compromise. Forensic analysis confirmed no impact to other systems or active operational data. The encrypted servers held names, addresses, dates of birth, health records, insurance policy details, payment information, Medicaid identification numbers, and Social Security numbers. Investigators could not determine whether specific data elements were accessed, exfiltrated, or misused due to the nature of the ransomware encryption.
ICM formally notified all 3,307 affected individuals about the potential exposure of their sensitive information following the investigation. The organization implemented multiple security enhancements in response, including the deployment of multifactor authentication across systems, increased monitoring of network activity, and expanded cybersecurity training for personnel. Routine security scanning protocols were also strengthened to improve early threat detection capabilities. While employee records were among the compromised historical data, the breach did not disrupt ongoing client services or impact current operational systems. The six-month gap between the server encryption and detection highlighted vulnerabilities in ICM's historical data storage environment, though containment measures prevented lateral movement to primary networks. No evidence suggested misuse of the exposed data as of the notification date, but the incident rendered historical records inaccessible due to encryption.