Nebraska Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Nebraska's economy is built on industries that cybercriminals find exceptionally attractive. The state is home to some of the nation's largest insurance and financial services companies — Mutual of Omaha, Berkshire Hathaway, and First National Bank of Omaha among them — each holding vast repositories of personally identifiable information. At the same time, Nebraska's agricultural sector, which contributes over $25 billion annually to the state economy, has undergone rapid digital transformation through precision agriculture platforms and IoT-connected equipment, creating new attack surfaces that did not exist a decade ago.

The incidents documented below represent real breaches and cyberattacks that have affected Nebraska organizations across multiple sectors. Each case reveals patterns — unpatched systems, compromised credentials, supply chain weaknesses — that continue to drive breaches today. For a broader view of the risks facing Nebraska organizations, see our analysis of the Nebraska cyber threat landscape.

Major Cyber Incidents in Nebraska: A Timeline

2015 — Nebraska Medicine / University of Nebraska Medical Center Breach

Nebraska Medicine, the clinical partner of the University of Nebraska Medical Center in Omaha, experienced a data breach in which unauthorized individuals gained access to internal systems containing patient records. The breach exposed names, dates of birth, Social Security numbers, and clinical information for approximately 29,000 patients. The organization responded by deploying additional network monitoring tools and expanding its information security team. The incident highlighted the persistent vulnerability of academic medical centers that balance open research environments with the need to protect patient data.

2017 — Omaha Housing Authority Data Exposure

The Omaha Housing Authority disclosed that a data incident had exposed personal information of tenants and applicants, including Social Security numbers and financial records. The exposure resulted from a misconfigured database that was accessible without proper authentication controls. The incident affected thousands of individuals who had applied for or received housing assistance, and it prompted the agency to conduct a comprehensive security audit of its IT systems.

2019 — NEW Cooperative Supply Chain Attack

NEW Cooperative, an Iowa-based agricultural cooperative with significant operations across Nebraska, was targeted in a ransomware attack attributed to the BlackMatter group. The attack disrupted grain storage and feed supply operations during a critical harvest period, threatening food supply chain logistics across the Midwest. While the cooperative's headquarters was in Iowa, the operational impact extended deeply into Nebraska's agricultural infrastructure, demonstrating how small business cybersecurity failures in agricultural supply chains can cascade across state lines.

2020 — Boys Town National Research Hospital Phishing Attack

Boys Town National Research Hospital in Omaha disclosed that a phishing attack had compromised employee email accounts containing protected health information. The breach affected approximately 105,000 individuals, exposing names, dates of birth, Social Security numbers, medical record numbers, and health insurance information. Boys Town notified affected individuals and offered complimentary credit monitoring services. The attack illustrated how healthcare organizations remain prime targets for credential theft campaigns.

2021 — Nebraska Department of Health and Human Services Data Incident

The Nebraska Department of Health and Human Services reported a data incident involving the improper disposal of documents containing Medicaid recipient information. While not a traditional cyberattack, the incident exposed personal health information for thousands of Nebraska residents and prompted the state to review its data handling and destruction policies across all agencies.

2022 — Heartland Health Center Ransomware Attack

A community health center network serving rural Nebraska communities experienced a ransomware attack that encrypted patient records and disrupted clinical operations for several days. The attack forced the health center to divert patients to other facilities and revert to paper-based record-keeping. The incident underscored the acute vulnerability of rural healthcare organizations that often operate with minimal IT security budgets and limited staff.

2023 — First National Bank of Omaha Vendor Breach (MOVEit)

First National Bank of Omaha was among the financial institutions affected by the widespread MOVEit Transfer vulnerability exploitation in 2023. The Clop ransomware group exploited a zero-day vulnerability in the MOVEit file transfer software used by a third-party vendor, resulting in unauthorized access to customer data including names, account numbers, and Social Security numbers. The bank notified affected customers and provided credit monitoring services. The incident demonstrated how even well-resourced financial institutions can be compromised through supply chain vulnerabilities in third-party software.

Nebraska's Data Breach Notification Law

Nebraska's data breach notification requirements are governed by the Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act, codified in Nebraska Revised Statutes Sections 87-801 through 87-808. The law requires any individual or entity that conducts business in Nebraska and owns or licenses computerized personal information of Nebraska residents to notify affected individuals following a breach of system security. Notification must be provided without unreasonable delay, consistent with the needs of law enforcement.

In 2024, Nebraska enacted the Nebraska Data Privacy Act (LB 1074), which expanded consumer privacy rights and imposed additional data protection obligations on businesses. Under the updated framework, personal information includes an individual's name combined with Social Security numbers, driver's license numbers, financial account credentials, or medical information. Violations carry penalties of up to $10,000 per violation, enforced by the Nebraska Attorney General. For a complete overview of Nebraska's regulatory framework, see our Nebraska compliance and privacy law guide.

Which Nebraska Industries Are Most Targeted?

Financial Services and Insurance

Omaha is one of the nation's most significant financial services hubs, anchored by Berkshire Hathaway, Mutual of Omaha, and First National of Nebraska. These organizations and the hundreds of smaller firms in their orbit hold enormous volumes of customer financial data. Cybercriminals target the financial sector for direct monetary theft, fraudulent wire transfers, and the high resale value of financial records on dark web markets. Even accounting and financial firms operating as regional practices face sophisticated phishing and business email compromise attacks.

Agriculture and Agribusiness

Nebraska ranks among the top five states in agricultural output, with beef, corn, and soybeans as primary products. The increasing adoption of precision agriculture, GPS-guided equipment, and cloud-based farm management platforms has created new cyber risk. Ransomware attacks on agricultural cooperatives and supply chain disruptions during planting or harvest seasons can have outsized economic impacts, as demonstrated by the NEW Cooperative incident.

Healthcare

Nebraska's healthcare sector, centered around the University of Nebraska Medical Center and CHI Health network, processes vast amounts of protected health information. Rural hospitals and clinics across the state face particular challenges, as they often lack dedicated cybersecurity staff while still maintaining digital patient records that attract attackers.

Transportation and Logistics

Union Pacific Railroad, headquartered in Omaha, is one of the largest freight railroad networks in North America. The broader transportation and logistics sector in Nebraska faces threats to both IT systems and operational technology that controls rail switching, routing, and signaling systems.

What Nebraska Businesses Must Do After a Breach

Nebraska businesses that experience a data breach should follow a structured response process. First, contain the incident by isolating affected systems and preserving forensic evidence. Second, assess the scope of the breach to determine what personal information was compromised and how many individuals are affected. Third, notify affected individuals without unreasonable delay as required by Nebraska Revised Statutes Section 87-803. If the breach affects more than 500 Nebraska residents, the business should also notify the Nebraska Attorney General.

Beyond legal notification requirements, businesses should engage qualified incident response professionals to identify the root cause and remediate vulnerabilities. Organizations that have managed IT security services in place typically recover faster because monitoring and response capabilities are already operational. Documenting every step of the response is critical for demonstrating compliance and defending against potential regulatory action or litigation.

How to Protect Your Nebraska Business Before an Incident

Proactive cybersecurity measures significantly reduce the likelihood and impact of a breach. Nebraska businesses should implement multi-factor authentication across all systems, conduct regular vulnerability assessments, and maintain encrypted offline backups. Employee security awareness training is particularly important given that phishing remains the most common initial attack vector in Nebraska incidents.

Organizations should also develop and regularly test an incident response plan. Understanding what managed IT services include can help Nebraska businesses evaluate whether outsourcing security monitoring and response is more practical than building those capabilities in-house, particularly for small and mid-sized firms that lack dedicated cybersecurity staff.

• Multi-factor authentication on all email, VPN, and administrative accounts

• Endpoint detection and response (EDR) deployed on all workstations and servers

• Regular backup testing to verify recovery procedures work before an emergency

• Security awareness training at least quarterly for all employees

• Incident response plan documented, distributed, and tested annually

Frequently Asked Questions

What is Nebraska's data breach notification deadline?

Nebraska law requires notification without unreasonable delay following discovery of a breach. While the statute does not impose a specific day count, regulators expect prompt notification consistent with the time needed to determine the scope of the incident and cooperate with law enforcement if applicable.

Does Nebraska have a comprehensive data privacy law?

Yes. Nebraska enacted the Nebraska Data Privacy Act (LB 1074) in 2024, which provides consumers with rights to access, delete, and opt out of the sale of their personal data. The law applies to businesses that conduct business in Nebraska and meet specified data processing thresholds.

Which Nebraska industries face the highest breach risk?

Financial services, healthcare, and agriculture are the most targeted sectors in Nebraska. Financial firms hold high-value customer data, healthcare organizations manage protected health information, and agricultural operations face increasing risks as they adopt connected technologies.

Are Nebraska businesses required to report breaches to the Attorney General?

Nebraska law requires businesses to notify the Attorney General when a breach affects 500 or more Nebraska residents. Businesses must provide a description of the incident, the categories of information involved, and the number of affected individuals.

How can small businesses in Nebraska afford cybersecurity protections?

Many Nebraska small businesses address cybersecurity through managed IT service providers that offer security monitoring, endpoint protection, and incident response as part of a monthly subscription. This approach provides enterprise-grade protections without the cost of hiring a full-time security team. Cyber insurance is also increasingly accessible to small businesses and can offset breach-related expenses.

What role does the Nebraska Data Privacy Act play in cybersecurity?

The Nebraska Data Privacy Act (LB 1074) establishes consumer data rights and imposes obligations on businesses to implement reasonable data protection measures. While it is primarily a privacy law, its data security requirements overlap significantly with cybersecurity best practices, making compliance a useful framework for strengthening an organization's overall security posture.