By HFT Staff

On December 6, 2024, two Iron County employees reported receiving a suspicious email from a third Iron County employee directing the payment of an invoice.  The two recipients immediately reported the emails as potentially suspicious. Iron County’s personnel immediately reset all active sessions for all email accounts in its email tenant, launched its incident response plan and engaged counsel. Iron County also engaged, through counsel, a reputable third-party forensics firm to assist with counsel’s investigation.   

The investigation concluded that the unknown threat actor was able to gain unauthorized access to a single email account. The evidence suggests that the unauthorized access was used to send two emails to Iron County employees, which were promptly detected and reported. There is no evidence any information related to the incident was otherwise actually misused and there was no evidence that emails were taken from the system. 

The information involved differs from person to person. The investigation determined that potentially impacted data may have included an affected individuals’ name, date of birth, date of service, doctor or provider name, employee ID, medical billing information, payment for health services information, incidental health reference, medical record number, procedure information, medical history, medical treatment information and other health insurance information.  

Iron County took immediate steps to block the unauthorized access and to investigate the incident with the support of leading outside cybersecurity experts. Iron County deployed additional security measures and tools with the guidance of third-party experts to strengthen the ongoing security of its network.