Hackers hit Cheyenne Regional in attack for payroll data

Cheyenne Regional Medical Center is among the latest healthcare providers falling victim to hackers seeking employee payroll accounts.

This past April, the organization, with 14 locations in Wyoming, was alerted to suspicious activity related to certain employee payroll accounts. While the medical center did not disclose how it learned of compromised accounts, such notifications often come from law enforcement agencies investigating multiple data breaches in healthcare and other industries.

Also See: 7 top data security threats for 2020 and what to do about them

With help from computer forensics experts, Cheyenne Regional learned that certain employee accounts were accessed without authorization in late March and early April.

“Unfortunately, the investigation was not able to determine which files, if any, were actually accessed or viewed during the affected time period,” the organization told affected patients in a notification letter. “While it appears this incident was focused on gaining access to our employees’ payroll information, we are unable to rule out the possibility that patient information contained in the impacted email accounts was subject to unauthorized access.”

By November 1, the review to determine the number of individuals whose information was possibly affected was complete, but Cheyenne Regional still lacked sufficient address information for much of the population, which necessitated an additional review of internal systems, and formal patient notifications began.

“Although to date we are unaware of any actual or attempted misuse of your personal information, we are providing notice in an abundance of caution because patient information was present in the impacted email accounts at the time of the incident,” patients were informed.

In total, 14 types of protected health information were comprised with the most vulnerable information being Social Security numbers, driver license numbers, medical information and credit card or financial account information.

Through Kroll, Cheyenne Regional Medical Center is offering patients identity protection and credit monitoring services for a specific period. In general, protective services remain in place for one or two years. Patients also received additional information on best practices to protect all of their sensitive data, healthcare related or otherwise.

“Cheyenne Regional Medical Center takes the privacy and security of the personal information in our care very seriously,” the organization told affected members. “We sincerely regret any inconvenience or concern this incident causes.”

The organization did not respond to a request for additional information, including the number of affected individuals. However, that number soon will be forwarded to the HHS data breach website.

For reprint and licensing requests for this article, click here.