Full Report
Dysruption Hub reports: Livingston HealthCare in Livingston, Montana, says its phone system has been restored after a cybersecurity incident disrupted communications and led the hospital to take some systems offline, but network disruptions continue as restoration work proceeds. The nonprofit hospital said Feb. 13 that a “potential cybersecurity incident” disrupted its phone systems and network and that... Source
Analysis Summary
# Incident Report: Livingston HealthCare Cybersecurity Disruption
## Executive Summary
Livingston HealthCare, a nonprofit hospital in Montana, experienced a cybersecurity incident in mid-February 2026 that resulted in the complete disruption of its phone systems and internal network. To mitigate the threat, the hospital preemptively took several systems offline, transitioning to manual emergency procedures for patient care. While phone services have since been restored, network restoration and recovery efforts are currently ongoing.
## Incident Details
- **Discovery Date:** February 13, 2026 (Publicly acknowledged)
- **Incident Date:** February 13, 2026
- **Affected Organization:** Livingston HealthCare
- **Sector:** Healthcare
- **Geography:** Livingston, Montana, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to Feb 13)
- **Vector:** Unknown
- **Details:** Specific entry points have not been publicly disclosed by the organization as the investigation is active.
### Lateral Movement
- **Details:** Attackers impacted both the internal data network and the primary telecommunications/phone systems, suggesting movement across converged infrastructure or interconnected VLANs.
### Data Exfiltration/Impact
- **Details:** Phone systems were rendered inoperable. Public network systems were taken offline. It is currently unconfirmed if patient PII/PHI (Personally Identifiable Information/Protected Health Information) was exfiltrated.
### Detection & Response
- **How it was discovered:** Disruption of critical communications (phones) and network instability.
- **Response actions taken:**
- Isolated the network by taking systems offline "out of an abundance of caution."
- Engaged third-party outside cybersecurity experts.
- Issued public guidance for patients to use 911 for emergencies.
- Systematic restoration of the phone system.
## Attack Methodology
- **Initial Access:** Undisclosed
- **Persistence:** Undisclosed
- **Privilege Escalation:** Undisclosed
- **Defense Evasion:** Undisclosed
- **Credential Access:** Undisclosed
- **Discovery:** Undisclosed
- **Lateral Movement:** Undisclosed
- **Collection:** Undisclosed
- **Exfiltration:** Undisclosed
- **Impact:** Service Denial (Network and Telephony shutdown).
## Impact Assessment
- **Financial:** Undisclosed; costs expected from forensic services and potential lost revenue during downtime.
- **Data Breach:** Under investigation; status of patient records unconfirmed.
- **Operational:** HIGH; phone systems were down, and clinicians were likely forced to use paper charts/downtime procedures. Patients were redirected to 911 for urgent needs.
- **Reputational:** MODERATE; local public notice required due to the interruption of emergency communication channels.
## Indicators of Compromise
- **Network indicators:** None currently released.
- **File indicators:** None currently released.
- **Behavioral indicators:** Unusual network latency followed by a total loss of VoIP (Voice over IP) services and internal application access.
## Response Actions
- **Containment measures:** Immediate disconnection of affected segments and taking the primary network offline.
- **Eradication steps:** Ongoing engagement with forensic experts to identify and remove the threat actor's presence.
- **Recovery actions:** Phased restoration, starting with the restoration of the phone system reported on February 16, 2026.
## Lessons Learned
- **Redundancy:** The incident highlights the vulnerability of converged networks where a single cybersecurity event can disable both data systems and voice communications.
- **Downtime Readiness:** The hospital’s ability to remain open (UrgentCare/Emergency) suggests a practiced manual downtime procedure was in place.
## Recommendations
- **Network Segmentation:** Ensure strict isolation between administrative networks and critical infrastructure such as VoIP phone systems and medical device VLANs.
- **Out-of-Band Communications:** Maintain emergency secondary communication channels (e.g., satellite phones or isolated analog lines) for critical healthcare coordination.
- **Endpoint Detection:** Deploy EDR (Endpoint Detection and Response) tools to identify lateral movement before it reaches critical communication servers.