Indiana Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Indiana sits at the crossroads of American manufacturing, logistics, and life sciences — industries that generate enormous volumes of sensitive data and depend on interconnected systems that attackers find attractive. The state is home to Eli Lilly, one of the world's largest pharmaceutical companies, alongside thousands of advanced manufacturers, healthcare systems, and defense suppliers. This concentration of high-value intellectual property and personal data makes Indiana a persistent target for ransomware operators, data thieves, and nation-state espionage groups.

The incidents documented below are not abstract warnings. Each one reveals specific weaknesses — unpatched systems, third-party access failures, inadequate network segmentation — that remain common across Indiana organizations today. Whether you run a manufacturing operation in Elkhart or a medical practice in Indianapolis, understanding the Indiana cyber threat landscape through the lens of real incidents is the starting point for building a defensible security posture.

Major Cyber Incidents in Indiana: A Timeline

2018 — Indiana Pacers Data Breach

The Indiana Pacers, the NBA franchise based in Indianapolis, disclosed in June 2018 that a phishing attack had compromised an employee email account containing personal information. The breach, which was discovered in November 2018 after the initial compromise months earlier, exposed names, addresses, dates of birth, Social Security numbers, passport numbers, medical information, and financial account details of an undisclosed number of individuals. The Pacers notified the Indiana Attorney General and offered credit monitoring services to affected parties. The incident demonstrated that even high-profile organizations with significant resources can fall victim to straightforward email phishing when employee training and email security controls are insufficient.

2021 — Eskenazi Health Ransomware Attack

In August 2021, Eskenazi Health, one of Indianapolis's largest safety-net hospital systems serving primarily low-income and uninsured patients, was hit by a ransomware attack attributed to the Vice Society group. The attack forced the hospital to divert ambulances to other facilities and revert to paper-based records for an extended period. Eskenazi refused to pay the ransom, and the attackers subsequently published stolen patient data on their dark web leak site. The exposed data included patient names, medical records, Social Security numbers, and insurance information. The incident was particularly disruptive because Eskenazi serves as a critical access point for vulnerable populations in Marion County, and the ambulance diversions created a cascading strain on neighboring hospital emergency departments.

2021 — CarePointe ENT Data Breach

CarePointe ENT, an ear, nose, and throat practice operating multiple locations across northwest Indiana including offices in Crown Point, Dyer, Hobart, and Merrillville, disclosed a data breach affecting approximately 48,742 patients. The breach involved unauthorized access to systems containing protected health information including names, dates of birth, Social Security numbers, health insurance details, and medical treatment records. CarePointe reported the incident to the U.S. Department of Health and Human Services and the Indiana Attorney General. The breach highlighted the vulnerability of specialty medical practices that may lack the IT security resources of larger hospital systems while still maintaining substantial volumes of sensitive patient data.

2021 — Indiana Department of Health COVID Data Exposure

During the COVID-19 pandemic response, the Indiana Department of Health experienced a data exposure incident involving the state's contact tracing system. Personal information including names, addresses, dates of birth, email addresses, and phone numbers of Indiana residents who had participated in contact tracing was inadvertently made accessible. The Indiana Attorney General's office investigated the incident, which underscored the risks that emerge when government agencies rapidly deploy new technology systems under crisis conditions without adequate security review.

2022 — Indiana Medicaid Data Breach

The Indiana Family and Social Services Administration (FSSA) disclosed a breach affecting Indiana Medicaid recipients after a third-party contractor, Maximus, experienced a security incident. The breach exposed personal information of Medicaid beneficiaries including names, Social Security numbers, addresses, and case identification numbers. Maximus, which provides eligibility determination and enrollment services for Indiana's Medicaid program, notified affected individuals and offered identity protection services. The incident exemplified the supply chain risk inherent in government outsourcing — a pattern that has affected Medicaid programs in multiple states.

2023 — MOVEit Transfer Breach Impact on Indiana

The widespread exploitation of a zero-day vulnerability in Progress Software's MOVEit Transfer file-sharing platform by the Cl0p ransomware group in mid-2023 affected multiple Indiana organizations. The Indiana Public Retirement System (INPRS) confirmed that data belonging to current and retired state employees was compromised through a third-party vendor that used the MOVEit platform. Exposed information included names, Social Security numbers, and pension-related data. The MOVEit campaign was global in scope but its impact on Indiana state employees illustrated how supply chain vulnerabilities in widely used enterprise software can cascade through government systems.

2023 — Schneck Medical Center Ransomware and Settlement

Schneck Medical Center, a community hospital in Seymour, Indiana, suffered a ransomware attack in September 2021 that compromised the personal and medical information of approximately 89,707 patients. The aftermath extended into 2023 when the Indiana Attorney General reached a settlement with Schneck over alleged failures to maintain adequate security safeguards and timely notification. Schneck agreed to pay $250,000 in penalties and implement specific security improvements. The settlement was notable as one of the first enforcement actions by the Indiana AG against a healthcare provider for breach-related deficiencies, signaling increased state-level enforcement of data protection obligations.

Indiana Breach Notification Requirements

Indiana's breach notification law, the Disclosure of Security Breach Act (Indiana Code 24-4.9), requires any entity that owns or licenses computerized data containing personal information of Indiana residents to notify affected individuals when a breach is discovered. Key requirements include:

• Notification timing: Businesses must notify affected Indiana residents without unreasonable delay. While Indiana's statute does not specify an exact day count like some states, the Indiana Attorney General has interpreted 'without unreasonable delay' to generally mean within a reasonable period after investigation confirms a breach occurred

• Attorney General notification: If a breach affects more than 250 Indiana residents, the entity must also notify the Indiana Attorney General's office

• Consumer reporting agencies: If a breach affects more than 1,000 Indiana residents, the entity must notify nationwide consumer reporting agencies without unreasonable delay

• Definition of personal information: Indiana law defines personal information as a first name or initial and last name combined with an unencrypted Social Security number, driver's license number, state identification number, credit card number, financial account number, or any other unique identification number issued on a government document

For a complete guide to Indiana's regulatory requirements and upcoming privacy legislation, see our analysis of Indiana cybersecurity compliance and data privacy laws.

Which Indiana Industries Are Most Targeted?

Healthcare

Indiana's healthcare sector — anchored by major systems including IU Health, Community Health Network, Eskenazi Health, and Franciscan Health — generates enormous quantities of protected health information. The Eskenazi, CarePointe, and Schneck incidents demonstrate that both large urban hospitals and smaller community and specialty practices are targeted. Healthcare organizations should evaluate healthcare IT security strategies designed for clinical environments where system availability directly affects patient safety.

Manufacturing

Indiana leads the nation in manufacturing as a percentage of GDP, with over 8,700 manufacturing establishments employing roughly 530,000 workers. The state's manufacturing base spans automotive (Subaru in Lafayette, Honda in Greensburg, Toyota in Princeton), medical devices (Warsaw's orthopedic corridor), steel (U.S. Steel and ArcelorMittal in northwest Indiana), and aerospace components. These operations increasingly rely on networked operational technology systems that create attack surfaces distinct from traditional IT environments. Organizations in this sector should explore manufacturing cybersecurity approaches that address both IT and OT risks.

Life Sciences and Pharmaceuticals

Indianapolis is one of the nation's largest life sciences hubs, anchored by Eli Lilly and Company alongside hundreds of biotech firms, contract research organizations, and medical device manufacturers. The intellectual property held by these organizations — drug formulations, clinical trial data, manufacturing processes — is a prime target for nation-state espionage groups, particularly those linked to China. A single successful exfiltration of drug development data can represent billions of dollars in stolen R&D investment.

State and Local Government

Indiana's 92 counties, hundreds of municipalities, and state agencies collectively manage sensitive data with widely varying levels of IT security maturity. The COVID data exposure and Medicaid breach incidents illustrate that government systems are vulnerable both to direct attacks and to third-party contractor compromises. Many local governments in Indiana operate with constrained IT budgets and limited cybersecurity expertise.

How to Protect Your Indiana Business

The pattern across Indiana incidents is consistent: phishing, unpatched vulnerabilities, and third-party access failures account for the vast majority of breaches. Practical steps to reduce risk include:

• Deploy multi-factor authentication on all email, remote access, and privileged accounts — the Pacers breach and Eskenazi attack both involved vectors that MFA would have mitigated

• Vet and monitor third-party vendors rigorously — the Medicaid and MOVEit incidents demonstrate that your security is only as strong as your weakest vendor's security

• Segment networks so that a compromise in administrative systems cannot spread to clinical, manufacturing, or operational technology environments

• Maintain tested offline backups — Eskenazi's refusal to pay ransom was only viable because the organization had recovery options

• Train employees on phishing with ongoing simulated campaigns, not just annual presentations

Many Indiana organizations partner with managed IT services providers and managed security services firms to maintain continuous monitoring and incident response capabilities that would be difficult to build in-house, particularly for mid-sized manufacturers and healthcare practices.

Frequently Asked Questions

How quickly must an Indiana business report a data breach?

Indiana's Disclosure of Security Breach Act (IC 24-4.9) requires notification 'without unreasonable delay' after discovery of a breach. Unlike states with explicit 30- or 60-day deadlines, Indiana uses a reasonableness standard. However, the Indiana Attorney General has enforced this requirement and the Schneck Medical Center settlement demonstrates that delayed or inadequate notification can result in penalties. If more than 250 Indiana residents are affected, the Attorney General must also be notified.

What penalties exist for failing to report a breach in Indiana?

The Indiana Attorney General can bring enforcement actions under the Disclosure of Security Breach Act and the Deceptive Consumer Sales Act. Penalties can include civil fines, injunctive relief, and required remediation measures. The $250,000 settlement with Schneck Medical Center in 2023 established a precedent for AG enforcement against organizations that fail to maintain adequate safeguards or provide timely notification.

Was the Eskenazi Health attack the worst ransomware incident in Indiana?

The Eskenazi Health attack in August 2021 is the most publicly consequential ransomware incident in Indiana history in terms of operational disruption and patient impact. The ambulance diversions and weeks-long recovery affected access to care for vulnerable populations across Marion County. However, the Schneck Medical Center breach affected nearly 90,000 patients and resulted in the first significant AG enforcement action, making it equally significant from a regulatory perspective.

Which Indiana sectors experience the most data breaches?

Healthcare accounts for the largest share of publicly reported Indiana data breaches, driven by mandatory HIPAA breach reporting requirements and the high value of medical records. Government agencies and educational institutions also appear frequently in breach disclosures. Manufacturing and life sciences breaches may be underreported because these sectors lack the same mandatory disclosure requirements, but the Indiana threat landscape analysis indicates they face significant and growing risk.

Does Indiana have a dedicated state cybersecurity agency?

The Indiana Office of Technology (IOT), part of the Indiana Governor's office, serves as the state's central IT and cybersecurity authority for state government operations. IOT oversees the Indiana Executive Branch's cybersecurity program, manages incident response for state agencies, and publishes security policies and standards. The Indiana National Guard also maintains a cyber unit that can be activated to assist with significant cyber incidents affecting state infrastructure.