Cyber Incident Victim: Amphastar Pharmaceuticals

On May 2, 2020, Amphastar Pharmaceuticals experienced a ransomware attack that initially appeared contained without data exfiltration. The company restored operations promptly using backups and did not pay any ransom. Threat actors later identified as the DoppelPaymer group publicly listed Amphastar on their leak site on July 21, 2020, uploading stolen files as proof of access. This external disclosure prompted Amphastar’s discovery of the data breach on July 24, contradicting their earlier assessment that no information had been removed during the May incident. The company engaged a cybersecurity specialist to investigate the intrusion and confirmed the attackers had exfiltrated legacy employee data approximately 15 years old.

Amphastar notified affected current and former employees on August 27, 2020, confirming the compromised data included names and Social Security Numbers but excluded driver’s licenses, financial details, medical records, or login credentials. The investigation found no evidence of broader system compromise beyond the exfiltrated files. Amphastar emphasized its refusal to negotiate with the threat actors despite the data leak and highlighted the restoration of operations through backups. The incident occurred amid increased ransomware targeting of healthcare organizations during the COVID-19 pandemic, as noted in their notification. No additional technical details regarding attack vectors, initial detection methods, or specific containment measures beyond backup usage were disclosed in the public notification.