Cyber Incident Victim: Drug Alcohol Testing and Screening Compliance

The Pysa ransomware group, also known as "Protect Your System Amigo," emerged as a significant threat to U.S. medical entities by November 2020, continuing a pattern of attacks first observed in 2018. These threat actors employed mespinoza ransomware to encrypt victims' files after exfiltrating sensitive data, operating under a ransomware-as-a-service model. By early 2020, the FBI and France's data protection authority (CNIL) had issued alerts identifying Pysa as "big-game hunters" targeting critical sectors. The group maintained a dark web leak site to pressure victims into paying ransoms by threatening to publish stolen data, with healthcare organizations remaining a primary focus through late 2020. This tactic exposed vulnerabilities in medical sector cybersecurity defenses, particularly among entities handling sensitive patient information.

Among eleven confirmed victims linked to Pysa's November 2020 campaign, only three organizations formally disclosed breaches to federal regulators. Assured Imaging reported the largest incident affecting 244,813 patients, followed by OrthoAtlanta (5,600 patients) and Woodholme Gastroenterology (50,000 patients), all of which issued public notifications confirming unauthorized access to protected health information. Multiple other medical providers—including Bolton Street Pediatrics, Overlake OB/GYN, Mid-Florida Pathology, St. Margaret’s Hospice, and Bridgeway Inc.—were listed on Pysa's leak site but had not disclosed breaches publicly at the time of reporting, despite evidence suggesting exposure of thousands of patient records. Compromised data types included Social Security numbers, medical histories, and treatment documentation, creating risks of identity theft and medical fraud. Legal proceedings related to some breaches resulted in court dismissals, while undisclosed cases left patients uninformed about potential exposure of their sensitive information.