Cyber Incident Victim: Capital Medical Center
Date:
Jan 2021
Location:
United States of America
Summary
A ransomware group claimed responsibility for an attack initially attributed to a Washington medical center, but subsequent investigation revealed the breach likely impacted an affiliated cancer care provider instead. The attackers exfiltrated and publicly dumped approximately 30 GB of sensitive data containing unencrypted patient health records, including medical reports and personally identifiable information, alongside employee files. Patient records spanned several years with filenames revealing protected health details. The medical center's parent organization conducted an internal investigation and denied operational impact, while the cancer care provider failed to respond to multiple inquiries about the incident. No breach notifications appeared on regulatory platforms or organizational websites despite the data exposure persisting for months, raising questions about compliance timelines and security monitoring effectiveness at the affected entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 26, 2021, threat actors associated with the Avaddon ransomware group exfiltrated sensitive data during an attack initially attributed to Capital Medical Center in Olympia, Washington. Avaddon publicly claimed responsibility on February 15, 2021, by adding the organization to their dedicated leak site and releasing approximately 30 GB of files as proof. The leaked data contained over 85,000 files with unencrypted electronic protected health information (ePHI) of patients and personal information of employees. Scanned PDFs included patient names, lab reports, clinical documents, and medical records, with filenames themselves revealing ePHI through patient identifiers. While some records predated 2015, the majority spanned 2015 to January 26, 2021, indicating the exfiltration occurred on or near that final date. Avaddon escalated pressure by moving Capital Medical Center to their "Full Dumps" list after apparent non-payment, making the entire dataset publicly accessible on the dark web.
Subsequent analysis revealed the compromised data primarily originated from Osborn Cancer Care (OCC), a separate entity affiliated with Dr. Dustan C. Osborn, who also practiced at Capital Medical Center. OCC shared a proximate physical address (3920 Capital Mall Dr.) with Capital Medical Center (3900 Capital Mall Dr.), which had been acquired by MultiCare Health System in December 2020 and fully integrated by April 1, 2021. MultiCare investigated Avaddon’s claims in February and publicly stated on April 23 that their systems were unaffected, shifting focus to OCC as the likely source. Despite multiple contact attempts by DataBreaches.net, OCC never acknowledged the breach or confirmed their systems were compromised. The incident exposed sensitive patient and employee data for over two months without formal notification to affected individuals or regulatory bodies, as no breach reports appeared on Capital Medical Center’s website, Washington State’s breach list, or the HHS breach portal. DataBreaches.net observed no evidence of ransomware encryption within the dumped files, raising questions about OCC’s detection capabilities during the 30 GB exfiltration. The Washington State authorities were contacted to investigate potential unreported violations as of April 28, 2021.