Cyber Incident Victim: Upstate Homecare
Date:
Mar 2021
Location:
United States of America
Summary
A ransomware group known as Pysa targeted multiple U.S. healthcare organizations using mespinoza malware to exfiltrate and encrypt sensitive data, threatening public leaks unless ransoms were paid. The attackers compromised patient information including Social Security numbers, medical histories, and treatment records. While some victims like Assured Imaging and OrthoAtlanta disclosed breaches affecting hundreds of thousands of patients and issued public notifications, others remained silent despite evidence of data exposure. Pysa maintained a dark web site listing non-compliant victims, amplifying pressure to pay. The incident highlighted inconsistent breach disclosure practices across the sector, with several entities facing no legal obligation to notify affected individuals despite confirmed data theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between December 26, 2020, and January 4, 2021, Upstate Home Care experienced a cybersecurity incident involving unauthorized access to its network. The intrusion was detected on January 4, 2021, when systems were encrypted by attackers identified as the Pysa group, also known as Mespinoza ransomware operators. Initial access was gained through phishing emails, a common tactic employed by this threat actor group. Following encryption, the attackers exfiltrated sensitive data from Upstate Home Care’s systems and issued a ransom demand, threatening to publish the stolen information on their dark web leak site if payment was not made. This double extortion strategy aligned with Pysa’s established modus operandi of stealing data before deploying ransomware. Upstate Home Care engaged external cybersecurity experts to investigate the breach, contain the damage, and restore operations. The forensic investigation confirmed both the encryption of systems and the theft of patient data.
The compromised data included patient names, addresses, Social Security numbers, medical records, and health insurance information belonging to 5,000 individuals. Upstate Home Care reported the breach to the U.S. Department of Health and Human Services on March 11, 2021, and began notifying affected patients via mailed letters on April 2, 2021. The notifications described the types of exposed data and offered 12 months of complimentary credit monitoring services to mitigate identity theft risks. A dedicated call center was established to address patient inquiries. In response to the incident, Upstate Home Care implemented security enhancements including multi-factor authentication and additional employee training to prevent future phishing attacks. The Pysa group’s history of targeting healthcare entities underscored the sector’s vulnerability to ransomware campaigns focused on sensitive patient data exploitation. No public evidence confirmed whether Upstate Home Care paid the ransom or if the stolen data was ultimately published by the attackers.