Cyber Incident Victim: Henderson & Walton Women's Center

On or around April 11, 2022, Henderson & Walton Women’s Center (HWWC), a Birmingham, Alabama-based healthcare provider, experienced a data breach involving unauthorized access to an employee’s email account. The breach was discovered following a forensic investigation, which determined that a hacker infiltrated the account and potentially accessed sensitive patient information. By June 24, 2022, HWWC completed its review of the compromised data, confirming the exposure of protected health information (PHI) and personally identifiable information (PII) belonging to 34,306 patients. The compromised data included full names, dates of birth, Social Security numbers, medical records, and other unspecified PHI. HWWC delayed patient notifications until August 2022, nearly four months after the breach discovery, to conduct a thorough assessment of the incident’s scope.

The breach stemmed from the compromise of stored emails within the employee’s account, despite HWWC’s implementation of email encryption measures prior to the incident. Exfiltrated data exposed affected individuals to heightened risks of identity theft, financial fraud, and medical privacy violations due to the sensitivity of the stolen information. In response, HWWC issued notification letters to all impacted patients and offered complimentary credit monitoring services to mitigate potential harm. The organization did not publicly disclose whether law enforcement was involved or if the attacker’s identity or motives were determined. No ransomware deployment or broader system compromise beyond the targeted email account was reported. HWWC’s post-incident actions focused on reinforcing email security protocols, though specific technical or operational changes beyond the pre-existing encryption were not detailed in public disclosures.