Cyber Incident Victim: National Veterinary Associates
Date:
Oct 2019
Location:
United States of America
Summary
National Veterinary Associates, a major global operator of veterinary hospitals and boarding facilities, experienced a significant ransomware attack disrupting operations at over half of its 700 locations. The Ryuk ransomware compromised patient records, payment systems, and practice management software, forcing many hospitals to rely on alternative methods for accessing critical data while continuing animal care services. The incident marked the second ransomware event affecting the organization that year, with recovery efforts complicated by concurrent wildfires near its headquarters. External security firms assisted in remediation, which included deploying interim workstations and rebuilding servers. The company subsequently announced investments in enhanced cybersecurity infrastructure and talent to mitigate future threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
National Veterinary Associates (NVA), a global operator of over 700 veterinary hospitals and boarding facilities, experienced a significant ransomware attack discovered on the morning of October 27, 2019. The incident impacted approximately 400 locations across the United States, Canada, Australia, and New Zealand, disrupting access to critical systems including Patient Information Management systems (PIMs), Microsoft Active Directory, and Exchange servers. According to an anonymous source close to the investigation, the Ryuk ransomware strain was deployed around 2 a.m. Pacific Time on October 27, causing immediate operational challenges for affected hospitals. NVA's response was complicated by wildfires in Los Angeles County, which had forced the closure of its Agoura Hills headquarters support center on October 25 due to poor air quality. The company engaged two external security firms to investigate and remediate the attack, with internal communications revealing a "monumental effort" to restore IT services. While NVA's Chief Marketing Officer Laura Koester stated all hospitals remained open and patient record access was eventually restored, internal updates acknowledged many locations struggled to provide care during the outage, with some resorting to manual record-keeping and temporary workstations.
The attack marked the second Ryuk ransomware incident affecting NVA in 2019, though the company characterized the earlier summer intrusion as a non-ransomware malware event. Forensic analysis indicated the October breach originated through three compromised accounts unaffiliated with NVA that provided entry points within the network, despite initial security systems blocking the ransomware. NVA's technology team implemented containment measures to prevent further spread but faced prolonged recovery efforts, with some hospitals still awaiting full system restoration by November 7. The company invested in Carbon Black cloud-based security software for all property computers as part of its infrastructure rebuild. Operational impacts included temporary suspension of online booking systems and reliance on alternative patient records at some facilities, though NVA maintained no hospitals closed completely. Internal communications from executives like Director of Operations Robert Hill and CIO Joe Leggio highlighted both immediate care challenges and long-term cybersecurity investments, while technology head Greg Hartmann's updates detailed the phased server rebuilding process and interim solutions for affected locations.