Cyber Incident Victim: Chelan Douglas Health District

The Chelan Douglas Health District in Washington experienced a cybersecurity incident in early July 2021 that compromised identifiable personal and health information. Cybersecurity consultants concluded their investigation into the breach on February 12, 2022, with the health district publishing a public notification statement on its website approximately seven months after the intrusion occurred. The district did not disclose when it initially detected or confirmed the breach, leaving the timeline for mandatory reporting under HIPAA unclear. Exfiltrated data included individuals' full names combined with at least one additional sensitive identifier: Social Security numbers, dates of birth or death, financial account details, medical treatment or diagnosis information, patient record numbers, or health insurance policy information.

The health district declined to specify how many individuals were affected when questioned by media, and the incident had not yet appeared on federal breach reports at the time of initial disclosure. Their public notice characterized the disclosure as being made in an "abundance of caution," though critics contended this framing misleadingly implied notification was discretionary rather than legally required under HIPAA. The district's spokesperson asserted a six-to-seven-month investigation period represented accelerated progress compared to purported industry norms of two to three years. No evidence emerged linking the incident to ransomware groups, as no related postings appeared on ransomware leak sites. The breach notification omitted details about whether attacker activity included data encryption or specific system access methods. Impacted parties received unspecified guidance about protective measures while awaiting potential clarification of the incident's scope through future regulatory filings.