Cyber Incident Victim: St. Margarets Hospice
Date:
Nov 2020
Location:
United States of America
Summary
A ransomware attack by the Pysa threat actor group impacted multiple U.S. medical entities, including St. Margaret’s Hospice, through data exfiltration and file encryption using mespinoza malware. While some affected organizations publicly disclosed breaches and patient notifications, the hospice remained silent despite evidence of compromised sensitive information such as Social Security numbers and medical histories, consistent with Pysa’s pattern of targeting healthcare providers and threatening leaks on dark web sites for non-payment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late November 2020, St. Margaret’s Hospice was identified among multiple U.S. medical entities compromised by the Pysa ransomware group, also known as "Protect Your System Amigo." This threat actor, active since 2018, employed mespinoza ransomware to exfiltrate and encrypt victims' data, operating under a ransomware-as-a-service model. Pysa had previously drawn attention from law enforcement, including FBI and CNIL alerts in early 2020 warning of their targeting of high-value victims ("big-game hunters") in sectors like healthcare and education. Evidence from Pysa’s dark web leak site—used to pressure victims by threatening to publish stolen data—confirmed St. Margaret’s Hospice’s involvement in the attack cluster alongside entities such as Bolton Street Pediatrics, Overlake OB/GYN, Mid-Florida Pathology, and Bridgeway Inc. The attackers exfiltrated sensitive patient information, including Social Security numbers and medical histories, before deploying ransomware. Unlike three other healthcare providers (Assured Imaging, OrthoAtlanta, and Woodholme Gastroenterology), which reported breaches to the U.S. Department of Health and Human Services (HHS) and issued public notifications, St. Margaret’s Hospice did not disclose the incident through official channels despite confirmation of data exposure.
The attack exposed patient data to potential misuse, aligning with Pysa’s pattern of leveraging stolen information for extortion. While specific patient counts for St. Margaret’s Hospice were not disclosed in available reports, comparable entities in the same breach cluster impacted between 1,000 and 244,813 individuals, with files containing clinical and financial details. No public statements, regulatory filings, or patient notifications from St. Margaret’s Hospice were documented following the incident. This contrasted with other victims like Assured Imaging, which faced class-action litigation post-disclosure, though some cases were later dismissed. The absence of mitigation or containment steps by St. Margaret’s Hospice in the public record left the full operational disruption and data recovery efforts unverified. Pysa’s continued targeting of healthcare organizations underscored systemic vulnerabilities, with St. Margaret’s Hospice representing an unreported case where patient data remained at risk of exposure on dark web platforms due to non-payment of ransoms.