Cyber Incident Victim: Methodist Family Health
Date:
Mar 2023
Location:
United States of America
Summary
A healthcare provider serving vulnerable pediatric populations experienced unauthorized access and data exfiltration involving sensitive patient information maintained by a pharmacy services business associate. The compromised records included names, birthdates, treatment details, diagnoses, medications, and financial account data. The organization terminated unauthorized access promptly after detection and implemented enhanced security measures. While external researchers linked the incident to Avos Locker ransomware operators—noting parallels to another pediatric healthcare attack—the provider's official disclosures omitted references to ransomware or extortion attempts. The threat actor subsequently removed the organization from their leak site, though the circumstances surrounding this removal remain undetermined. Affected individuals were notified of the breach but not explicitly informed about potential Russian threat actor involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2023, Methodist Family Health (MFH) detected a data breach initially occurring on or around March 4. The organization, which provides care to children with psychiatric, behavioral, and emotional challenges, determined that an unauthorized party accessed and copied protected health information (PHI) from documents used by a pharmacy services business associate. The compromised data included full names, dates of birth, home addresses, diagnosis details, treatment dates, account numbers, service charges, and medication information. MFH launched an internal investigation supported by external cybersecurity and privacy specialists, concluding that the unauthorized access was swiftly terminated after detection. The organization implemented additional security measures to strengthen data protection protocols but did not publicly disclose whether the incident involved ransomware at the time of their notification. On May 3, 2023, MFH formally notified the U.S. Department of Health and Human Services (HHS) that 5,259 patients were impacted and issued a public breach notice the same day. The notice emphasized ongoing reviews of internal processes and commitments to PHI security but omitted details about the attack methodology or responsible threat actors.
Around March 8, 2023, MFH appeared on the leak site of the Avos Locker ransomware group, sparking speculation about potential links to an affiliate involved in a prior attack on Toronto’s SickKids children’s hospital. The MFH listing was later removed from Avos Locker’s site for undetermined reasons, with no public confirmation of ransom demands, payments, or data deletion. MFH’s official communications did not reference ransomware, extortion attempts, or the involvement of Russian threat actors despite external reporting. DataBreaches.net contacted MFH seeking clarification on these points but received no response. The breach exposed highly sensitive data belonging to a vulnerable pediatric population encompassing victims of abuse, neglect, and severe mental health conditions. MFH confirmed no operational disruptions beyond the data compromise but did not specify whether affected individuals received enhanced monitoring services or explicit warnings about potential misuse of their stolen PHI by cybercriminals.