Cyber Incident Victim: Native American Rehabilitation Association of the Northwest
Date:
Nov 2019
Location:
United States of America
Summary
The Native American Rehabilitation Association of the Northwest experienced a malware incident involving Emotet after employees fell for a phishing attempt, leading to unauthorized access to email accounts containing patient information. The attack was promptly contained within two days, but compromised records included names, addresses, birth dates, Social Security numbers, medical IDs, and clinical details such as diagnoses and treatment information. Approximately 1.3% of patients had data confirmed or at heightened risk of exposure, with some information residing in email bodies and others in attachments treated as potentially accessed despite unclear evidence. A separate group of patients received notifications due to potential exposure risks without confirmed access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 4, 2019, the Native American Rehabilitation Association of the Northwest (NARA NW) in Portland, Oregon, experienced a cybersecurity incident when employees fell victim to a phishing attack that delivered Emotet malware. The malware compromised email accounts within the organization’s systems. NARA NW detected the intrusion rapidly, containing the incident by November 5, 2019, limiting active malware exposure to a two-day window. The organization engaged a digital forensics and cybersecurity firm to investigate the breach, which revealed unauthorized access to email accounts containing sensitive patient information. On January 3, 2020, NARA NW publicly disclosed the incident, confirming that the attack vector involved phishing tactics leading to Emotet infection, though no evidence suggested broader system infiltration beyond the compromised email accounts.
The investigation identified 344 current or former patients—approximately 1.3% of NARA NW’s electronic records population—whose personal and health data were confirmed or suspected to have been accessed without authorization. Exposed information included names, home addresses, birth dates, Social Security numbers, medical record or patient ID numbers, diagnoses, treatment details, service dates, and clinical notes. While some data resided directly in email bodies, other records were embedded solely in email attachments; though forensic analysis found no definitive proof of attachment access, NARA NW treated these records as potentially compromised. A secondary group of patients received notifications despite lacking evidence of actual data access, reflecting the organization’s precautionary approach. No ransomware deployment, data exfiltration for extortion, or misuse of information was reported. NARA NW issued breach notifications to all affected individuals, detailing the scope of exposed data and advising vigilance against identity theft or fraud. The incident underscored risks associated with phishing-enabled malware infections in healthcare environments handling sensitive patient records.