Cyber Incident Victim: NCG Medical
Date:
Aug 2022
Location:
United States of America
Summary
A Florida-based medical billing service experienced a ransomware attack by the Hive group, resulting in encrypted systems and exfiltration of over 270 GB of sensitive data. The compromised information included protected health information such as patient names, addresses, Social Security numbers, diagnoses, and insurance-coded medical records, alongside corporate documents like contracts, financial records, and proprietary software source codes. The attackers claimed possession of over 50,000 personal records and data belonging to healthcare clients covered under HIPAA. The victim organization did not engage with the threat actors, leading to rapid public disclosure of the breach on Hive’s leak site. The incident significantly impacted client entities and required extensive breach assessment and notification efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 19, 2022, the Hive ransomware group infiltrated the networks of NCG Medical, a Florida-based medical billing service. The attackers remained undetected within the system for 12 days, during which they conducted reconnaissance, exfiltrated data, and encrypted files. Hive claimed to have stolen over 270 GB of sensitive information, including medical records containing patient names, addresses, Social Security numbers, and diagnoses; corporate financial documents such as budgets, tax records, and contracts; client business information including payroll data and deposits; proprietary software source code for PerfectCareEHR and billing services; and SQL database backups containing business reports and customer data. The group asserted that approximately 50,000 personal records with addresses and SSNs were compromised. On August 31, Hive publicly listed NCG Medical on its leak site after receiving no response from the victim during the 12-day window following encryption, an unusually short timeframe compared to typical ransomware negotiation periods.
The breach exposed protected health information (PHI) belonging to patients of NCG’s clients, which included HIPAA-covered entities such as medical clinics and practices. One archived file alone contained nearly 10,000 insurance-coded patient records with identifiable health data. The incident created significant operational and compliance challenges for NCG, requiring extensive analysis to determine notification obligations under business associate agreements—including whether affected patients or client entities needed to be alerted. As of September 2, 2022, NCG had not publicly acknowledged the incident or responded to inquiries from either Hive or media outlets, suggesting the organization was still assessing the scope and impact of the attack. The encryption of servers raised unresolved questions about the availability of functional backups and potential disruptions to NCG’s billing operations. Hive’s data dump on their leak site contained sufficiently detailed evidence of the compromise that cybersecurity investigators refrained from publishing even redacted samples due to risks of accidental PHI exposure.