Cyber Incident Victim: Winslow Memorial Hospital

On April 21, 2022, Winslow Memorial Hospital, operating as Little Colorado Medical Center (LCMC), detected suspicious activity within its computer network. The hospital immediately secured its systems, notified law enforcement agencies, and initiated a forensic investigation to determine the nature and scope of the incident. The investigation confirmed that an unauthorized actor had gained access to portions of LCMC's IT infrastructure during a period spanning from March 7, 2022, to April 21, 2022. While the hospital did not publicly disclose the specific attack vector or compromised systems, it acknowledged that any files accessible to the threat actor during this 45-day window were likely exposed. LCMC's investigation remained ongoing as of May 2023, with the organization working to identify precisely which patient data elements were accessed and which individuals were affected by the security breach.

On May 25, 2023—over thirteen months after detecting the intrusion—LCMC filed a formal notice of data breach with the Massachusetts Attorney General's office and began issuing notification letters to confirmed affected individuals. The hospital stated these initial notifications would be followed by additional letters as the continuing investigation identified more impacted parties. While LCMC did not specify the types of data potentially compromised, it emphasized that all information within accessed files was subject to unauthorized exposure. As a nonprofit facility serving approximately 30,000 patients annually in Northern Arizona, the breach potentially affected a significant portion of its patient population across services including emergency care, surgery, obstetrics, and cardiology. The hospital maintained operations throughout the investigation but provided no public updates regarding containment measures beyond the initial system security actions taken in April 2022.