Cyber Incident Victim: Medical Review Institute of America
Date:
Nov 2021
Location:
United States of America
Summary
The Medical Review Institute of America experienced a ransomware attack involving unauthorized access to systems containing protected health information through exploitation of a SonicWall vulnerability. The breach impacted over 134,000 individuals across multiple healthcare clients, with compromised data including patient names, contact details, medical records, and insurance information. While the organization asserted it retrieved and confirmed deletion of stolen data—implying potential ransom payment—experts question the validity of such deletion claims. Notifications were issued without confirming whether the affected data was encrypted at rest as claimed in their security policies, and forensic investigations confirmed data exfiltration occurred during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 2, 2021, the Medical Review Institute of America (MRIoA) experienced a ransomware attack compromising protected health information (PHI) collected during clinical peer review services. Attackers exploited a vulnerability in MRIoA’s SonicWall infrastructure to gain unauthorized access to its systems, leading to data exfiltration prior to ransomware deployment. A forensic investigation confirmed the intrusion timeline and data exposure, though MRIoA did not publicly disclose whether it paid a ransom. The organization asserted in breach notifications that it had "retrieved and subsequently confirmed the deletion" of stolen data, though no technical evidence supporting this claim was provided. MRIoA’s notification letters, submitted to state attorneys general including those in Vermont and Maine, did not specify whether the compromised PHI was encrypted at rest despite the organization’s published security standards claiming AES-256 encryption for stored data. The incident impacted 134,571 individuals according to Maine’s official filing, with breach notifications issued on behalf of multiple client organizations.
The compromised PHI included sensitive patient information processed for MRIoA’s healthcare entity clients, triggering mandatory breach notifications under HIPAA regulations. Affected clients spanned insurers and employers including Blue Cross Blue Shield affiliates in Rhode Island, Minnesota, Illinois, New Jersey, and Texas; OptumRx; Superior HealthPlan; and the State of Maine’s Office of Employee Health and Wellness. MRIoA attributed the breach to exploitation of an unidentified SonicWall vulnerability but did not clarify whether delayed patching contributed to the incident. While the organization highlighted its HITRUST CSF-aligned security program—including file integrity monitoring and audit logging—its notifications omitted details about encryption effectiveness during the breach. Third-party notifications, such as Superior HealthPlan’s public advisory, disseminated mitigation guidance to affected individuals. The incident remained absent from HHS’s public breach portal at the time of reporting, and MRIoA did not respond to media inquiries regarding encryption status or vulnerability remediation timelines.