Cyber Incident Victim: Woodruff Institute
Date:
Jun 2021
Location:
United States of America
Summary
A Florida-based dermatology and plastic surgery practice was compromised by the ransomware group "Grief," which publicly leaked stolen data despite previously claiming to avoid targeting healthcare entities. The attackers exfiltrated and released accounting records containing business expenses, profit and loss statements, employee incentive compensation details, and partial financial data including truncated bank account numbers and Social Security numbers alongside PPP loan information. Patient records were also exposed, revealing names, contact details, insurance information, lab test types, and Medicare numbers that functioned as SSNs in older documents. Additionally, some financial agreements disclosed full credit card numbers from patient payment forms. The threat actors justified targeting the practice by distinguishing plastic surgery as a lucrative sector separate from general healthcare.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 11, 2021, the ransomware group "Grief" (also referenced as "Pay or Grief") claimed responsibility for a cyberattack targeting The Woodruff Institute, a Florida-based medical practice specializing in dermatology and plastic surgery. The group listed the institute on its dedicated leak site that day, publicly announcing the breach. By June 15, Grief updated the listing with additional exfiltrated data, escalating the incident. This action contradicted prior statements made by a Grief spokesperson in a June 1 interview, where they claimed to avoid targeting the health sector but explicitly excluded plastic surgery and pharmaceutical entities from that policy, citing financial motivations. The attackers emphasized these sectors' profitability despite their tangential association with healthcare.
The breach exposed two primary categories of sensitive data. The "Accounting" folder contained business records spanning 2015–2021, including routine expenses, annual Profit & Loss statements, and quarterly incentive compensation calculations for named employees through Q1 2021. It also included documentation related to a Paycheck Protection Program (PPP) loan application and forgiveness request. While bank account numbers and employee Social Security Numbers (SSNs) appeared in these files, they were partially truncated, limiting immediate financial risks. The "Financial Agreements" folder contained approximately 50 files from 2019–2020 with patient protected health information (PHI), including full names, addresses, dates of birth, home and cell phone numbers, health insurance details, lab test types, and test purposes. Older files in this folder displayed Medicare numbers that matched patients' SSNs without truncation. Additionally, 2018 files included signed patient agreements for monthly credit card payments, exposing complete credit card numbers. No institutional response actions, containment measures, or detection methods were disclosed in available sources. The incident compromised both employee financial records and patient PHI, with unredacted credit card and Medicare/SSN data posing significant identity theft and fraud risks.