Cyber Incident Victim: Episcopal Retirement Services

Episcopal Retirement Services (ERS) in Ohio experienced two separate ransomware attacks within a one-month period in 2021. The first incident was discovered on or about September 24, initially characterized as a cyberattack impacting systems and servers. A second incident occurred on October 22, which ERS confirmed as a ransomware attack. During the investigation of the October incident, ERS determined that the September event was also a ransomware attack. The organization’s external legal counsel, Whiteford, Taylor, & Preston LLP, reported that the method of initial system access remained undetermined as of their November 19 notification to the Maine Attorney General’s office. No specific ransomware variants or ransom demands were disclosed in regulatory filings, and ERS had not appeared on any dedicated ransomware leak sites at the time of initial reporting.

The attacks compromised protected health information (PHI) including names, addresses, genders, Social Security numbers, phone numbers, and dates of birth. Medical diagnoses, healthcare provider names, insurance numbers, and Medicare numbers were also potentially exposed. ERS initiated notifications to 4,133 affected individuals, though the organization cautioned this number might change as investigations continued. On October 23, 2021 – one day after the second attack – the Groove ransomware group listed ERS on their leak site, though the threat actor’s actual involvement remained unclear given Groove’s contradictory public statements about their operational objectives. ERS maintained ongoing investigations and provided updates through their website notice, but no containment measures, forensic findings, or data recovery details were disclosed in available public records. The Groove leak site subsequently became inaccessible, preventing further verification of data claims or attacker attribution.