Cyber Incident Victim: York Hospital

On February 22, 2016, York Hospital in Maine discovered unauthorized access to its network systems, resulting in the compromise of personal identifying information belonging to 1,483 employees across its four campuses. Attackers infiltrated the hospital's network specifically targeting staff employment records, accessing names, addresses, Social Security numbers, and W-2 forms. The breach did not extend to patient health information or medical records, which were maintained on separate systems according to hospital officials. York Hospital promptly initiated an internal investigation upon detection and engaged external cybersecurity experts to assess the intrusion's scope. The compromised employee data posed significant identity theft risks due to the inclusion of tax documentation and national identifiers.

York Hospital publicly disclosed the incident through a press release on February 24, 2016, and directly notified affected employees via physical mail and email communications. The organization offered complimentary identity theft protection services for one year to mitigate potential financial harm to victims. Collaborating with the FBI's Boston Field Office, the hospital pursued criminal investigations to identify the perpetrators. Legal counsel was retained to manage regulatory compliance and breach notification obligations. Marketing Director Jody Merrill emphasized in official statements that patient care systems remained uncompromised, noting the segregation between employee records and medical data infrastructure. The hospital maintained operational continuity throughout the response while reinforcing network security measures to prevent recurrence.