Patients Notified of Phishing Attack at Cheyenne Regional Medical Center

Cheyenne Regional Medical Center in Wyoming has recently learned that patient information may have been compromised as a result of a phishing attack discovered in April.

The medical center was alerted to a potential security breach following the detection of suspicious activity related to employee payroll accounts on or around April 5, 2019. Around a week later, the medical center learned that employee email accounts had been compromised.

The investigation revealed the attackers had gained access to employee email accounts between March 27, 2019 and April 8, 2019. The aim of the attack appears to have been to access employee payroll information, although patient information contained in email accounts may also have been accessed.

The types of information potentially accessed varied from patient to patient and may have included names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical record numbers, patient identification numbers, medical information, diagnoses, treatment information, and health insurance information. A very small percentage of patients also had financial information or credit card numbers exposed.

The forensic investigation confirmed on August 21, 2019 that patient information was potentially accessed by the hackers, although at that stage of the investigation the full extent of the attack was not known. It took until November 1, 2019 before the medical center obtained a full list of the 17,549 impacted patients.

There was a further delay sending notifications as up to date contact information was not held on a significant number of patients. Finding that information took time.

The medical center explained that most patient information is stored in its electronic medical record system, but information is securely exchanged between staff members via email for administrative purposes and for consultations.

Affected patients have now been notified by mail and have been offered complimentary credit monitoring and identity theft protection services through Kroll.

Cheyenne Regional Medical Center should be commended for its thorough explanation of the breach and investigation, and the reason for the 8-month delay sending notifications. All patients want to be notified of any exposure of their personal and health information quickly but will be unaware of the work involved in a breach investigation and how long it can take to find the information necessary to issue notifications. Such a detailed explanation will help patients to understand why it has taken so long to learn about the breach.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.