Phishing Attack at Cheyenne Regional Medical Center Compromised Patient Data

Cheyenne Regional Medical Center located in Wyoming lately discovered the compromise of patient data because of a phishing attack in April.

On or around April 5, 2019, the medical center received notification concerning a potential security breach after detecting suspicious activity associated with employee payroll accounts. About a week after, the medical center found out that the email accounts of employees were compromised.

The investigation showed that the attackers accessed employee email accounts from March 27, 2019 to April 8, 2019. It seems the purpose of the attack was to access the payroll data of employees. However, the attackers may have also viewed patient data included in email accounts.

The types of data possibly accessed by the attackers differed from one patient to another and might have involved names, birth dates, driver’s license numbers, Social Security numbers, dates of service, names of provider, patient identification numbers, medical record numbers, medical data, diagnoses, treatment data, and medical insurance details. The financial data or credit card numbers of a very small number of patients were likewise exposed.

The forensic investigators affirmed on August 21, 2019 that hackers potentially accessed patient data. Even though at that period of the investigation, the investigators do not know yet the full extent of the breach. The medical center only obtained a complete list of the affected patients on November 1, 2019.

The center also delayed the sending of notifications because it lacked up-to-date contact details of a considerable number of patients. It took a long time to find the information.

The medical center stated that the majority of patient data is kept in its electronic medical record system. However, staff members securely exchange information through email for management purposes and consultations.

The medical center already sent notification letters by mail to the affected patients and offered them free credit monitoring and identity theft protection services via Kroll.

Cheyenne Regional Medical Center should be given commendation for thoroughly explaining the breach and investigation, including the explanation of the delay in sending notifications for 8 months. All patients would like to be informed quickly when their personal and health data are exposed. However, breach investigations can sometimes take a lot of work and time before patients can be issued to notifications. With a comprehensive explanation, patients can know why it took a long time to be notified about the breach.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at