Cyber Incident Victim: Montgomery General Hospital

On or around February 28, 2023, unauthorized individuals gained access to the IT systems of Montgomery General Hospital in West Virginia. By March 1, they deployed ransomware, encrypting data and exfiltrating files from certain servers. The attackers exploited a vulnerability in Microsoft Exchange to infiltrate the network, according to communications from the D#nut ransomware group, which claimed responsibility. While the hospital’s cloud-based electronic medical record (EMR) system was not compromised, the incident prompted the hospital to temporarily take the EMR offline as a precaution, though services were quickly restored without impacting patient care. A third-party security firm was engaged to investigate, revealing that exfiltrated data primarily consisted of historical operational documents such as budget reports, cost analyses, and vendor payment records, alongside some files containing patient information. The hospital did not pay the $750,000 ransom demand, following law enforcement advice and due to the historical nature of the compromised data. Initial reporting to the HHS Office for Civil Rights indicated 500 affected individuals, though this figure was provisional pending further investigation. The hospital committed to notifying impacted patients within the 60-day Breach Notification Rule deadline and offering credit monitoring to those whose Social Security numbers were exposed. Analysis revealed the attack originated from a phishing campaign targeting hospital staff, though the attackers also cited exploitation of an Exchange vulnerability as their entry point. D#nut later leaked portions of the stolen data publicly on their site, including employee personnel records and patient health information, after negotiations with the hospital collapsed.

Negotiations between the hospital and D#nut began on March 5, 2023, when a representative claiming affiliation with the hospital’s executive team contacted the attackers. D#nut’s negotiator, identifying as “d0nut,” asserted they had accessed the network for three days, exfiltrating sensitive patient, employee, and management data without encrypting systems due to the hospital’s critical services role. The group demanded $750,000 for a decryptor and data deletion, providing a partial file tree and sample decrypted files as proof. Montgomery General requested a full file tree, a lower ransom amount, and additional time to seek board approvals, citing its nonprofit status and procedural requirements for large expenditures. The hospital’s negotiator emphasized financial constraints and the need for multiple board meetings, delaying a formal counteroffer. After 26 days of intermittent communication, D#nut leaked the data on March 31, expressing impatience with the hospital’s deliberations. Exfiltrated files included payroll records with employee Social Security numbers and compensation details, patient medical histories, treatment plans, diagnostic results, and insurance billing documents containing policy numbers, service dates, CPT codes, and charges. While large-scale EMR databases were not confirmed in the leak, the exposed data necessitated notifications to patients, employees, and regulators. The hospital did not publicly address the leak’s specifics but maintained that patient care systems remained operational throughout the incident. Ongoing investigations aimed to determine the full scope of compromised data and identify affected stakeholders under regulatory requirements.