Cyber Incident Victim: Schneck Medical Center

Schneck Medical Center publicly disclosed a data security incident on September 29, 2021, through a notice on its website, revealing that unauthorized actors had accessed and exfiltrated files containing protected health information. The breach impacted a limited but unspecified number of patients, with the incident absent from HHS’s public breach tool at the time of reporting. Compromised data included full names, addresses, dates of birth, medical record or internal identification numbers, driver’s license or state identification details, medical diagnoses and conditions, and health insurance or claims information. A subset of patients additionally had Social Security numbers, financial account details, or payment card information exposed. The medical center did not characterize the incident as ransomware-related or disclose whether any ransom demands were made or paid.

Schneck provided no timeline for initial detection of the breach or justification for the seven-month delay between the intrusion and patient notifications. The organization asserted it had "no evidence that any of the information was or will be misused," prompting external inquiries about the basis for this claim regarding future misuse risks. Credit monitoring services were offered to an undisclosed subset of affected individuals. Media outlet The Tribune first reported the breach publicly, while Schneck’s formal notice omitted technical details regarding intrusion methods, containment procedures, or forensic investigation outcomes. The scope of impacted systems and operational consequences beyond data exposure remained undisclosed in available public statements.