Cyber Incident Victim: Memorial Health System
Date:
Aug 2021
Location:
United States of America
Summary
A ransomware attack attributed to the Hive gang disrupted operations at a nonprofit healthcare organization operating three hospitals and affiliated clinics, forcing staff to rely on paper charts and causing cancellations of urgent surgeries and radiology services. The attackers encrypted systems after infiltrating the network and exfiltrated databases containing sensitive personal information—including Social Security numbers, names, and birthdates—belonging to approximately 200,000 patients, contradicting initial assurances that no data was compromised. Hive, known for stealing data prior to encryption to pressure victims into paying ransoms, typically publishes stolen information on its dark web leak site when demands are unmet.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 15, 2021, Memorial Health System experienced a ransomware attack attributed to the Hive group, disrupting clinical and financial operations across its network of three hospitals in Ohio and West Virginia, outpatient service sites, and provider clinics. The IT department detected the incident early Sunday morning when infrastructure components became unresponsive, leading to system-wide encryption that forced staff to rely on paper charts for continuity of care. Memorial Health System, a nonprofit organization with over 3,000 employees, canceled urgent surgical cases and radiology exams the following Monday due to operational paralysis. President and CEO Scott Cantley initially issued a press release on Sunday asserting no evidence of patient or employee data compromise while investigations continued. The attack methodology followed typical ransomware patterns, with threat actors infiltrating systems prior to encryption to identify high-value targets and exfiltrate data for extortion leverage.
Subsequent analysis revealed the theft of databases containing sensitive information for approximately 200,000 patients, including names, social security numbers, and dates of birth. Hive, a ransomware operation active since June 2021, claimed responsibility and employed its standard double-extortion tactic—demanding payment to prevent data leakage on their "HiveLeaks" dark web portal while offering decryption tools. The group had already listed nearly two dozen non-paying victims on this portal prior to the Memorial Health attack, predominantly targeting small-to-medium enterprises with under 100 employees. Memorial’s incident exemplified Hive’s rapid escalation in targeting critical infrastructure, though the health system’s specific ransom payment status remained undisclosed. Operational disruptions persisted during recovery efforts, highlighting vulnerabilities in healthcare infrastructure despite initial assurances about data security from leadership.