Cyber Incident Victim: Nocona General Hospital
Date:
Nov 2020
Location:
United States of America
Summary
Nocona General Hospital experienced a significant data breach where sensitive patient information, including names, addresses, social security numbers, medical diagnoses, and scan results, was published on the dark web. Unlike typical ransomware incidents, the hospital's systems were not encrypted, and no ransom demand was received, though attackers likely leaked the data to demonstrate credibility for future extortion. The breach exposed highly personal medical details, such as procedure records and health insurance information, impacting current and former patients. The hospital engaged legal representation but did not confirm receiving any direct threats prior to the data dump.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2021, Nocona General Hospital in Texas experienced a cybersecurity incident resulting in the unauthorized publication of sensitive patient data on the dark web. The breach exposed extensive personal and medical information, including patient names, addresses, birthdays, social security numbers, Medicaid numbers, prescription details, health insurance information, medical diagnoses, and scan results. Among the leaked files was a spreadsheet titled "2018_colonoscopies" containing names of 102 patients, procedure dates, and colonoscopy results indicating normal or abnormal findings. NBC News reported the publication involved "at least tens of thousands" of files, potentially impacting hundreds of thousands of current and former patients. Unlike the contemporaneous attack on Florida's Leon Medical Center attributed to the Conti ransomware group, Nocona General Hospital confirmed no ransomware deployment occurred on its systems and reported no encryption of data following exfiltration. Brian Jackson, legal counsel for the hospital, stated no ransom demand had been received by the organization, though he acknowledged uncertainty about whether attackers had attempted communication. The hospital did not disclose how attackers initially compromised its systems or the exact timeline of data exfiltration.
The incident occurred against the backdrop of heightened warnings from US authorities about ransomware threats targeting healthcare providers, including an October 2020 advisory specifically naming Conti and Ryuk ransomware groups. While Leon Medical Center's breach was traced to a malicious document exploiting an unpatched SMBv3 vulnerability (CVE-2020-0796), no technical details were confirmed regarding Nocona's attack vector. The publication of unencrypted medical records without accompanying ransom demands represented an escalation in attacker tactics, potentially intended to demonstrate credibility to future extortion targets. Neither hospital officials nor investigators publicly confirmed whether the two incidents were operationally linked beyond their temporal proximity. The exposure of sensitive health information created significant privacy risks for affected patients, including potential identity theft and medical fraud. Nocona General Hospital had not released details about its forensic investigation timeline or patient notification process as of the initial reports, contrasting with Leon Medical Center's public commitment to contacting impacted individuals.