Cyber Incident Victim: Atlantic General Hospital
Date:
Jan 2023
Location:
United States of America
Summary
A ransomware attack disrupted Atlantic General Hospital's network operations, causing temporary outages affecting outpatient imaging, walk-in lab services, pharmacy operations, and pulmonary function testing. The hospital maintained limited patient care using downtime procedures while investigating with external cybersecurity experts and law enforcement, attributing the incident to a China-based threat actor known for targeting healthcare organizations. Leadership confirmed electronic health records remained uncompromised due to remote hosting, though attackers accessed internal servers requiring forensic review. The organization declined ransom demands, relying on cyber insurance and pre-existing security measures while implementing additional safeguards post-incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 29, 2023, Atlantic General Hospital (AGH) in Maryland experienced a significant ransomware attack that disrupted network operations and caused widespread system outages. The attack was detected that Sunday morning, prompting immediate engagement with the FBI, which reportedly identified the responsible group based on their known tactics. Hospital President and CEO Don Owrey confirmed the attackers operated from China and targeted multiple hospitals using organized methods, including a dedicated call center. Critical clinical areas such as the emergency room, operating room, and endoscopy department remained operational through manual downtime procedures, minimizing direct patient care interruptions. However, outpatient imaging services, the walk-in outpatient lab, pulmonary function testing, and AGHRx RediScripts pharmacy operations were temporarily suspended. The hospital’s electronic health records (EHR) system, hosted remotely, was not compromised, though attackers accessed internal servers containing folders potentially holding protected health information. AGH retained external cybersecurity experts to conduct a forensic investigation while maintaining patient services across unaffected departments.

The hospital declined to pay the ransom demand, citing an ongoing criminal investigation and cyber insurance coverage that supported their recovery efforts. By mid-March 2023, the forensic review was nearing completion, with investigators analyzing server logs to determine whether attackers exfiltrated sensitive data from accessed folders. Owrey emphasized that EHR integrity was preserved and expressed confidence in the hospital’s cybersecurity posture, noting pre-existing safeguards were strengthened post-incident. Network outages persisted for weeks, disrupting administrative and business functions, though clinical workflows adapted through paper-based systems. The attack’s financial and operational impacts were partially mitigated by insurance, but AGH faced prolonged recovery efforts to restore full system functionality. No evidence emerged of medical record theft or misuse of patient data during the investigation. The incident highlighted the hospital’s reliance on contingency protocols and external partnerships to sustain critical care during cyber disruptions while underscoring the organized nature of ransomware threats targeting healthcare infrastructure.
