Cyber Incident Victim: Five Rivers Health Centers

Five Rivers Health Centers, based in Ohio, discovered a data security incident stemming from a phishing attack that compromised employee email accounts. The organization identified unauthorized access to email accounts on March 31, 2021, following a forensic investigation. This breach occurred between April 1, 2020, and June 2, 2020, with attackers gaining entry through phishing emails. The compromised accounts contained sensitive personal information and protected health information belonging to patients. On May 28, 2021, Five Rivers formally notified the U.S. Department of Health and Human Services about the incident. The forensic review confirmed the duration of unauthorized access but did not specify the exact number of compromised accounts or the attackers' identity. Five Rivers emphasized its commitment to privacy but did not disclose whether multi-factor authentication or other security measures were bypassed during the attack.

The incident affected 155,748 individuals, though Five Rivers clarified it did not impact all patients. Exposed data included protected health information and personally identifiable information, though specific data types (such as Social Security numbers or medical records) were not detailed in the public notice. Five Rivers began notifying affected individuals on May 28, 2021, coinciding with its HHS breach report. The organization established a dedicated toll-free response line (855-537-2106) for inquiries but did not publicly announce credit monitoring services or other remediation offers. No ransomware deployment, data exfiltration claims, or financial demands by threat actors were reported. The phishing incident prompted internal security reviews, though Five Rivers did not disclose specific procedural or technical changes implemented post-breach.