Cyber Incident Victim: Valley Mountain Regional Center
Date:
Sep 2021
Location:
United States of America
Summary
Valley Mountain Regional Center experienced a phishing attack compromising employee email accounts after 14 staff members disclosed credentials via malicious links. Unauthorized access potentially exposed protected health information of 17,197 individuals, including names, contact details, diagnoses, medications, client identifiers, and service dates. The organization found no evidence of data misuse but notified affected parties to monitor for suspicious activity. Security measures were implemented following the incident to remove phishing messages and secure compromised accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Valley Mountain Regional Center (VMRC), based in Stockton, CA, detected unauthorized access to employee email accounts following a phishing campaign discovered on September 15, 2021. The organization identified suspicious phishing emails within its mailboxes and promptly removed all copies of the messages from its email system. Subsequent investigation revealed that 14 employees had interacted with the phishing links, disclosing their login credentials, which enabled threat actors to compromise those accounts. VMRC conducted a comprehensive review of the affected mailboxes to determine the scope of potentially exposed information. The compromised email accounts contained protected health information related to 17,197 patients, including names, addresses, dates of birth, state-issued client identifier numbers, telephone numbers, personal email addresses, diagnoses, medications, other potential unique identifiers, and dates of service. No evidence indicated that financial information was stored in the affected accounts.
VMRC's forensic analysis found no indication that unauthorized parties accessed, acquired, or misused the protected health information contained within the compromised email accounts. Despite this finding, the organization initiated notifications to all affected individuals as a precautionary measure. The notification advised patients to monitor their accounts and credit reports for unusual activity, though no specific recommendations for credit monitoring services were provided. The incident response included securing the breached email accounts and reinforcing security protocols to prevent similar future compromises. VMRC did not disclose whether additional security measures, such as multi-factor authentication implementation or employee retraining, were implemented following the breach. The organization maintained that its primary systems remained unaffected, with the breach confined specifically to the 14 compromised email accounts and their stored data.