Cyber Incident Victim: Medsurant Health
Date:
Sep 2021
Location:
United States of America
Summary
A healthcare entity experienced a ransomware incident involving unauthorized access and exfiltration of patient data over an extended period. The threat actor contacted the organization via email, prompting an investigation that confirmed data theft preceded the notification. While some files were encrypted, the entity successfully restored them from backups. Approximately 45,000 patients were impacted, but notification delays occurred as the organization worked to identify affected individuals. The incident did not disrupt operations due to effective data restoration efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Medsurant Health, based in Pennsylvania, disclosed a ransomware incident impacting 45,000 patients, as reflected in a notification to the U.S. Department of Health and Human Services (HHS). The organization did not immediately notify affected patients, as it was still working to determine which individuals required notification. The incident began when Medsurant received an email from a threat actor on September 30, 2021, claiming that data had been accessed and exfiltrated. Medsurant initiated an investigation promptly after receiving this communication. Forensic analysis revealed that unauthorized data exfiltration had commenced earlier, starting on September 23, 2021, and continued for nearly two months until November 12, 2021. During this period, the attacker extracted sensitive information from Medsurant's systems. The organization confirmed that some files were encrypted by the ransomware but successfully restored them from backups. Medsurant did not publicly identify the specific ransomware variant involved in the attack.
The company published an official statement on November 29, 2021, outlining the incident timeline and response efforts. This statement indicated that Medsurant prioritized containment and restoration activities following the September 30 email from the threat actor. The prolonged exfiltration window—spanning 51 days from initial access to containment—suggested persistent unauthorized access to Medsurant's network. While the organization resolved the encryption component through system restoration, the data exfiltration created ongoing risks requiring patient notifications. Medsurant's public communications emphasized the complexity of determining notification scope due to the nature of the compromised data and the need for forensic verification. The delay in individual notifications contrasted with the timely HHS breach report, reflecting operational challenges in correlating exfiltrated data with specific patient identities. No further technical details regarding attack vectors, compromised systems, or data types were disclosed in the available statement.