Cyber Incident Victim: Abington Fertility Center

Maze ransomware operators, known for their model of publicly naming victims and dumping stolen data, maintained a public leak site where they listed victims and published stolen data to pressure payment. In 2020, Maze added Abington Reproductive Medicine, a healthcare provider later rebranded as Sincera, to their leak site. Typically, Maze accompanied each listing with files as proof of exfiltration, but in Abington's case, the uploaded documents bore no relation to the medical practice; they were unrelated files, raising questions about whether Maze had actually attacked Abington or had mistakenly uploaded incorrect files. DataBreaches.net sent two inquiries to Abington but received no reply. The lack of any relevant proof and the silence from the entity left uncertainty about whether an actual breach had occurred or if the listing was erroneous.

Maze's campaign targeted numerous healthcare providers in 2020, often posting large volumes of patient data and demanding payment. Many victims failed to notify patients or regulators, as documented in the report; for the ten Maze listings examined, only four entities had issued notifications or statements. Abington Reproductive Medicine was among those that had not been seen to notify. As of the publication of the report, there was no record of the breach on the U.S. Department of Health and Human Services' public breach portal, consistent with the pattern of non-reporting among many Maze victims. There was no evidence that the practice had notified state attorneys general or patients. The rebranded entity, Sincera, similarly provided no information about the incident. This case illustrated the broader issue of underreporting in healthcare ransomware attacks, where many entities fail to meet HIPAA's notification requirements, leaving patients unaware of risks to their personal and health information. The incident remained unresolved, with no confirmation from the organization about the nature or scope of any data exposure.