Cyber Incident Victim: Mid-Florida Pathology
Date:
Nov 2020
Location:
United States of America
Summary
Mid-Florida Pathology was among multiple U.S. medical entities compromised by the Pysa threat actor group, which deployed Mespinoza ransomware to exfiltrate and encrypt sensitive data including Social Security numbers and medical histories. The attackers publicly listed non-paying victims on a dark web leak site, but the pathology provider did not disclose the breach to regulators or affected patients despite evidence of data exposure, unlike some other targeted healthcare organizations that issued notifications. The incident highlighted Pysa's continued targeting of the medical sector through ransomware-as-a-service operations aimed at extorting payments by threatening data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Mid-Florida Pathology incident occurred in late 2020 as part of a broader campaign by the Pysa ransomware group, which targeted multiple U.S. medical entities. Pysa, operating since 2018 under the slogan "Protect Your System Amigo," deployed Mespinoza ransomware to encrypt victims' files after exfiltrating data. By early 2020, the FBI and France's CNIL had issued alerts about this group, categorizing them as "big-game hunters" due to their focus on high-value targets. The attackers maintained a dark web leak site to pressure victims into paying ransoms by threatening to publish stolen data. Mid-Florida Pathology was identified among at least 11 healthcare entities compromised by Pysa during this period, with evidence suggesting their medical data was exposed alongside organizations like Bolton Street Pediatrics and St. Margaret’s Hospice. Unlike three other victims – Assured Imaging, OrthoAtlanta, and Woodholme Gastroenterology – who reported breaches affecting over 300,000 combined patients to HHS and issued public notifications, Mid-Florida Pathology did not disclose the incident through official channels despite appearing on Pysa's leak site.
The attack exposed sensitive patient information including Social Security numbers and medical histories, though the exact number of affected individuals at Mid-Florida Pathology remains unspecified. Pysa's operational pattern involved dual extortion tactics: demanding payment for decryption keys while threatening to release exfiltrated data if ransoms went unpaid. While some listed entities like Overlake OB/GYN had over 8,900 files leaked, Mid-Florida Pathology's specific data volume wasn't detailed in available disclosures. No containment measures, forensic investigations, or patient notifications from Mid-Florida Pathology were documented, contrasting with other victims who pursued legal actions such as court dismissals of related lawsuits. The absence of public breach reports suggests the organization did not formally acknowledge the incident to regulators or affected parties, leaving potential data exposure unaddressed in the public domain despite the confirmed compromise.