Cyber Incident Victim: Bridgeway Inc.
Date:
Mar 2021
Location:
United States of America
Summary
Bridgeway Inc. was among multiple U.S. medical entities compromised by the Pysa threat actor group, which deployed Mespinoza ransomware to exfiltrate and encrypt sensitive data including Social Security numbers and medical histories. The attackers maintained a dark web leak site to pressure victims into paying ransoms, with several impacted organizations disclosing breaches publicly and reporting patient impacts to regulators. However, the entity did not issue public notifications or disclosures regarding the incident despite evidence of exposed medical data, aligning with a broader pattern of unreported compromises within the healthcare sector linked to this threat group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Pysa threat actor group, also known as "Protect Your System Amigo," employed Mespinoza ransomware against multiple U.S. medical entities beginning in 2018, with attacks continuing through 2020. These adversaries operated as "big-game hunters," exfiltrating sensitive data before encrypting victim systems to extort ransom payments. The FBI and France's CNIL issued alerts about Pysa's activities in early 2020 due to their persistent targeting of healthcare and educational organizations. Bridgeway Inc. was among at least 11 confirmed entities compromised by Pysa during this campaign, though the exact intrusion timeline for Bridgeway remains unspecified in public records. Attackers followed a consistent pattern: data theft preceded file encryption, with threats to publish stolen information on Pysa's dark web leak site if ransoms went unpaid. This leak site served as a public pressure tactic, listing non-paying victims to incentivize compliance.
Evidence confirmed Bridgeway Inc. suffered unauthorized access to protected health information, including Social Security numbers and medical histories, though the organization did not issue breach notifications to patients or regulators as of November 2020. Three other medical providers—Assured Imaging (244,813 patients), OrthoAtlanta (5,600 patients), and Woodholme Gastroenterology (50,000 patients)—publicly disclosed their incidents through HHS reports and consumer notices. In contrast, Bridgeway Inc., Bolton Street Pediatrics, Overlake OB/GYN, Mid-Florida Pathology, and St. Margaret’s Hospice maintained silence despite forensic evidence linking their data to Pysa's leaks. The absence of disclosure deprived affected individuals of mitigation opportunities while exposing entities to potential regulatory penalties. Pysa's operations demonstrated the escalating risks of ransomware-as-a-service models, where specialized threat actors systematically exploit vulnerabilities in critical infrastructure sectors without direct attribution to sponsoring entities.