Cyber Incident Victim: Valley Professionals Community Health Center
Date:
Nov 2018
Location:
United States of America
Summary
A data breach at Valley Professionals Community Health Center compromised personal information of over 12,000 patients across all seven of its healthcare locations and mobile operations. The incident originated from a phishing email received by an employee, initially believed to be from a trusted healthcare partner but later suspected to be fraudulent, with the organization's CEO indicating a high likelihood of malicious intent. The unauthorized access exposed sensitive patient data, though specific data types weren't detailed in available reports. The breach notification confirmed widespread potential impact on individuals served by the health network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The data breach at Valley Professionals Community Health Center (VPCHC) began in late November 2018 when an employee received a fraudulent email appearing to originate from a trusted healthcare organization. The employee, believing the communication to be legitimate from a prior collaborator, interacted with the message, which investigators later identified as a phishing attempt. This unauthorized access potentially compromised sensitive personal information across all seven VPCHC healthcare facilities, including their mobile operations unit. CEO Terry Warren publicly characterized the incident as having approximately a 90% probability of being a phishing attack impersonating a colleague from another health center. Forensic analysis confirmed the breach exposed data belonging to over 12,000 patients, though the notification did not specify exact data types accessed.
VPCHC initiated breach response protocols following the discovery, culminating in a public notification posted to their official website. The organization did not disclose specific containment measures taken beyond acknowledging the incident's phishing vector. External media coverage through MyWabashValley.com and DataBreaches.net brought public attention to the event by January 31, 2019, over two months post-incident. No evidence suggests ransomware deployment or data exfiltration demands occurred. The compromised information placed affected patients at heightened risk of identity theft and medical fraud due to the healthcare context of the exposed records. All impacted individuals received formal breach notifications detailing the unauthorized access timeframe and potential data exposure.