Cyber Incident Victim: Metro Presort
Date:
May 2019
Location:
United States of America
Summary
A ransomware attack targeted a business associate, leading to encrypted systems and an initial determination that no protected health information was compromised due to pre-existing encryption. Following a subsequent reinvestigation prompted by regulatory scrutiny, doubts emerged about the encryption's effectiveness, ultimately resulting in a determination that personal health data of up to 38,387 individuals may have been exposed. Two healthcare clients separately reported breaches affecting over 24,000 combined patients, though the relationship between these figures and the business associate's official report remains unclear. Regulatory investigators initially found no violations but later acknowledged potential data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 1, 2019, Metro Presort, an Oregon-based business associate handling healthcare data, experienced a Ryuk ransomware attack that encrypted its systems. The company contained the incident rapidly and declined to pay the ransom demanded by the attackers. Metro Presort initially asserted that all electronic protected health information (ePHI) on its systems had been encrypted prior to the ransomware attack as part of its standard security protocols, thereby preventing unauthorized access or acquisition of patient data. Based on this assessment, the organization did not report the incident as a breach under HIPAA regulations at the time of discovery. The ransomware attack itself disrupted operations but did not immediately trigger breach notifications to clients or regulatory bodies due to Metro Presort's conclusion that no reportable data compromise had occurred.
In October 2020—approximately 17 months after the initial incident—Metro Presort reopened its investigation into the ransomware event, possibly following inquiries from the U.S. Department of Health and Human Services Office for Civil Rights (OCR). This reinvestigation cast doubt on the organization's original claim that pre-attack encryption had fully safeguarded ePHI. OCR concluded its separate review on December 31, 2020, finding no HIPAA violations by Metro Presort at that stage. Subsequent developments indicated potential compromise of protected health information, leading to the incident's appearance on HHS's breach reporting tool in 2021. The official entry stated that PHI belonging to up to 38,387 individuals may have been exposed. Two healthcare clients disclosed specific impacts: Salem Clinic reported 20,908 affected patients, while Oregon Heart Center reported 3,172 affected patients. The relationship between these client disclosures and Metro Presort's own reporting to HHS remained unclear, as the company did not publicly clarify whether its submission included these figures or represented a separate assessment. The 21-month gap between the ransomware attack and its appearance on the HHS breach portal highlighted complexities in determining reportability timelines when initial forensic conclusions are later reconsidered.