Cyber Incident Victim: Missouri Delta Medical Center
Date:
Aug 2021
Location:
United States of America
Summary
Missouri Delta Medical Center experienced a ransomware attack by the Hive threat group, which claimed to have encrypted files and exfiltrated extensive sensitive data including approximately 95,000 patient records containing personal and medical details, employee information, and financial data. The attackers subsequently dumped 10GB of files containing protected health information and personally identifiable information, evidenced by documents bearing the medical center’s logos and internal records spanning multiple years. Hive threatened to release additional data unless payment was received, increasing their claim to over 184,000 patient records. Despite multiple inquiries and public evidence of the breach, the medical center did not confirm or deny the incident or issue any public statements regarding the compromise of patient and employee data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early August 2021, Missouri Delta Medical Center (MDMC) faced operational strain due to a COVID-19 surge that filled its ICU. Around this period, the Hive ransomware group claimed to have encrypted MDMC’s systems on August 23, alleging they exfiltrated approximately 95,000 patients' comprehensive personal and medical information—including names, Social Security numbers, addresses, diagnoses, and next-of-kin details—alongside 400 GB of files containing patient, employee, and financial data. Hive later revised their claim to 184,355 patients’ records. Despite multiple inquiries from DataBreaches.net starting August 31, MDMC did not publicly confirm or deny the attack. On September 10, Hive initiated a data dump, releasing 10 GB of files on a public file-sharing platform. Analysis of the leaked data confirmed its connection to MDMC, including documents bearing the hospital’s logo and internal identifiers like "MDMC OR." The dump contained sensitive materials such as 2017 anesthesiology billing logs with patient diagnoses, medical record numbers, and surgeon details, as well as admission registers from 2006–2013 listing patient names, account numbers, diagnoses, and room assignments. Folders also included insurance billing records and other operational files, though not all directories contained data. Hive threatened to release the remaining data within four days if no payment was made, indicating stalled negotiations.
MDMC maintained silence throughout the incident, failing to respond to media requests or issue public statements acknowledging the breach. The hospital’s website showed no alerts regarding the security incident, leaving patients and employees uninformed about potential risks to their exposed data. The initial 10 GB leak represented a fraction of the purported 400 GB cache, suggesting additional disclosures could follow. While some dumped files contained non-PHI/PII information, the confirmed presence of decades-old patient records indicated significant archival data exposure. The breach’s origin—whether from MDMC’s systems or a third-party vendor—remained unclear due to the hospital’s non-disclosure. Hive removed the initial data dump shortly after posting it but continued hosting the threat on their leak site. The absence of containment measures or communication from MDMC left affected individuals without guidance on mitigating identity theft or medical fraud risks stemming from the exposure of SSNs, medical histories, and financial details.