Cyber Incident Victim: One Community Health
Date:
Apr 2021
Location:
United States of America
Summary
One Community Health experienced a cyberattack involving unauthorized exfiltration of sensitive patient data, including Social Security numbers alongside personal, insurance, and medical details. The incident, attributed to a ransomware group, prompted delayed breach notifications beyond regulatory timeframes without resulting enforcement actions; the organization enhanced cybersecurity measures such as endpoint detection and monitoring services while offering credit protection to some affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 20, 2021, One Community Health, an Oregon-based healthcare provider, experienced a cyberattack involving data exfiltration by the Pysa ransomware group. The threat actors publicly listed the organization on their leak site, claiming to have stolen sensitive patient information, though the dumped data itself was inaccessible at the time of reporting. One Community Health discovered the breach on April 20 but did not publicly disclose the incident until November 22, 2025, when it notified state attorneys general and published a website notice. This notification occurred well beyond the 60-day requirement stipulated by HITECH for breaches involving protected health information, though no enforcement actions or penalties from HHS were reported. The compromised data included patients’ Social Security numbers combined with additional personal and medical details such as full names, dates of birth, addresses, insurance information, diagnoses, and treatment records. The organization’s notice omitted critical contextual details about the ransomware attack’s nature and the threat actors’ data publication on the dark web, while also failing to specify the total number of affected individuals. One Community Health stated it found no evidence of fraud stemming from the incident but offered complimentary credit monitoring services to an unspecified subset of impacted patients.
Following the attack, One Community Health implemented significant cybersecurity upgrades through partnerships with external experts. These enhancements focused on improving endpoint detection capabilities, establishing 24/7 managed detection and response services, and strengthening email and attachment security protocols. The organization framed these measures as necessary steps to better safeguard patient data, staff operations, and community services, though no technical specifics about the attack vector or initial vulnerabilities were disclosed. The incident remained absent from HHS’s public breach reporting tool at the time of the article’s publication, leaving the full regulatory and operational consequences unclear. One Community Health’s delayed notification and opaque communication contrasted with the confirmed exposure of high-sensitivity health and identification data, creating unresolved questions about compliance timelines and patient risk management.