Cyber Incident Victim: Ventura Orthopedics
Date:
Aug 2020
Location:
United States of America
Summary
A ransomware attack targeted Ventura Orthopedics, involving both Maze and Conti-Ryuk operators who separately leaked stolen patient data. Maze initially listed the victim on their leak site, claiming to have exfiltrated data and releasing a sample, while Conti-Ryuk later published additional files including lab reports containing names, dates of birth, medications, and diagnostic results. Sensitive information was further exposed through filenames structured to include patient identifiers. The practice utilized backups to mitigate operational disruption, and no ransom payment was confirmed. Forensic analysis was ongoing to determine the full scope and attack methodology.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On or around August 2, 2020, Maze ransomware operators listed Ventura Orthopedics on their data leak site, claiming to have exfiltrated files from the practice’s servers. The threat actors uploaded an archive purporting to contain 5% of the stolen data, as reported by cybersecurity firm Cyble. Ventura Orthopedics did not initially issue a public statement or update its website, and no entry appeared on the U.S. Department of Health and Human Services’ breach portal at the time. Subsequently, Conti-Ryuk ransomware operators created a separate leak site listing Ventura Orthopedics as a victim, publishing 1,850 files from the organization. A portion of these files contained patient-specific information, including lab and diagnostic reports from RX Diagnostic Management, Inc., which disclosed names, dates of birth, medications, and laboratory results. The practice’s file-naming convention—structured as “lastname_first2lettersoffirstname_DOB(yyyy/mm/dd)”—exposed protected health information (PHI) through filenames alone, even without accessing file contents. Maze and Conti-Ryuk operators released distinct sets of files, though the nature of their collaboration in the attack remained unclear. DataBreaches.net attempted to contact Ventura Orthopedics for clarification but received no immediate response.
By August 28, 2025, Ventura Orthopedics engaged Chris Roberts of HillBilly Hit Squad to assist with incident response and forensics. The practice confirmed proactive measures, including maintaining backups, which mitigated potential operational disruptions. While the ransomware attack caused some impact, the organization emphasized the situation could have been more severe. Forensic analysis remained ongoing, delaying a comprehensive public explanation of the attack vector and full scope. No ransom payment was confirmed, and the absence of a HHS breach listing suggested the incident might not have met federal reporting thresholds or was under investigation. The exposure of patient data through filenames and clinical documents represented a confirmed privacy impact, though the total number of affected individuals was not disclosed. Ventura Orthopedics’ eventual outreach to DataBreaches.net indicated a shift toward transparency as internal investigations progressed.