Cyber Incident Victim: University of New Mexico Health
Date:
Mar 2021
Location:
United States of America
Summary
A cyberattack compromised the network of University of New Mexico Health, exposing data of over 637,000 patients. Intruders accessed and exfiltrated personal and medical information—including names, contact details, dates of birth, medical record numbers, insurance data, clinical information, and Social Security numbers for some individuals—during a two-month intrusion discovered after the fact. Electronic health records remained unaffected. The organization responded by reinforcing staff cybersecurity training and implementing enhanced protective measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The University of New Mexico Health experienced a cybersecurity incident in which an unauthorized actor gained access to its network, with initial access occurring in March 2021. The breach remained undetected for approximately two months, during which the threat actor accessed and exfiltrated sensitive patient data. The intrusion was discovered on June 4, 2021, prompting an immediate investigation to determine the scope and nature of the compromise. Officials confirmed that the attackers obtained files containing personal and health information belonging to 637,252 patients, making this incident the eighth largest reported breach in the healthcare sector during that year.
The compromised data included patient names, contact information, dates of birth, medical record or identification numbers, health insurance details, and certain clinical information. A subset of affected individuals also had their Social Security numbers exposed. Investigators determined that the electronic health record system itself was not accessed during the breach. Following the discovery, UNM Health notified impacted patients and offered complimentary credit monitoring services to those whose Social Security numbers were compromised. The organization implemented additional security measures and provided enhanced cybersecurity education to its workforce members to prevent future incidents. No further technical details about the attack methodology or specific containment actions were disclosed in the public notice.