Cyber Incident Victim: Heartland Healthcare Services
Date:
Nov 2021
Location:
United States of America
Summary
Heartland Healthcare Services experienced a ransomware attack that resulted in unauthorized exfiltration of files containing patient data, with some information later published on a dark web leak site. The organization, consulting with law enforcement, declined to pay the ransom demand. Compromised data included names, addresses, telephone numbers, medication details, and related treatment information for 2,763 individuals across multiple affiliated pharmacies. Security enhancements were implemented following the incident to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Heartland Healthcare Services, a Toledo, OH-based pharmacy owned by HCR-ManorCare and CVS Health, experienced a ransomware attack detected on April 11, 2022, when staff were blocked from accessing network files. The attackers exfiltrated patient data files before encrypting systems and subsequently issued a ransom demand. Following consultation with the Federal Bureau of Investigation, Heartland opted against paying the ransom. Subsequent monitoring revealed that portions of the stolen data were published on the ransomware group's dark web leak site, confirming unauthorized dissemination of sensitive information. Forensic analysis determined the breach impacted 2,763 patients who had received medications through Heartland Pharmacy locations in Pennsylvania, Maryland, or Illinois. The compromised data included patient names, physical addresses, telephone numbers, specific medication names, and related prescription details. No evidence suggested clinical treatment records or financial account information were accessed during this incident.
The organization initiated containment measures immediately upon detecting the attack, though the exact timeframe of initial network access by threat actors remained unspecified in public disclosures. Heartland confirmed that attackers specifically targeted files containing medication-related information rather than comprehensive medical histories. Post-incident investigations led to security enhancements across Heartland's infrastructure, though specific technical controls implemented were not detailed publicly. Affected individuals received breach notifications describing the types of exposed data but were not offered identity protection services, as Social Security numbers and financial data weren't compromised. The incident highlighted operational disruptions through denied file access but did not result in reported medication distribution errors or care interruptions. Heartland's public statements emphasized collaboration with law enforcement and cybersecurity professionals throughout the response process without disclosing whether threat actors were identified.