Cyber Incident Victim: Pawnee County Memorial Hospital
Date:
Nov 2018
Location:
United States of America
Summary
Pawnee County Memorial Hospital experienced a data breach when an employee email account was compromised via a phishing attack involving a malicious email attachment, granting unauthorized access for eight days. The Nebraska-based facility determined that attackers potentially accessed protected health information of 7,038 patients, including names combined with demographic, clinical, and insurance information, government-issued IDs, and Social Security numbers for some individuals. Affected patients were offered complimentary credit monitoring services following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Pawnee County Memorial Hospital in Nebraska discovered a malware incident on November 29, 2018, involving unauthorized access to an employee email account. The breach occurred after an employee opened a malicious email attachment on November 16 that appeared to originate from a trusted source. This phishing attack resulted in malware being injected into the hospital's systems, granting attackers continuous access to the compromised email account until November 24—an eight-day period of unauthorized activity. Protected health information exposed during this timeframe included patients' full names combined with one or more identifiers: addresses, dates of birth, service dates, medical record numbers, clinical details such as diagnoses and lab results, insurance information, and driver's license or state ID numbers. A subset of affected individuals also had their Social Security numbers compromised.
The hospital initiated notification procedures for all 7,038 impacted patients following their internal investigation. PCMH confirmed the malware specifically targeted a single employee's email account rather than broader hospital systems or electronic medical records. As part of their remediation efforts, the organization arranged complimentary one-year enrollment in TransUnion Interactive's myTrueIdentity credit monitoring service for affected individuals. The substitute breach notice detailed the types of exposed data but did not specify whether email contents beyond patient information were accessed or whether the attackers exfiltrated data from the account. No evidence suggested broader network infiltration beyond the compromised email account during the eight-day access period.