Cyber Incident Victim: TriValley Primary Care
Date:
Oct 2021
Location:
United States of America
Summary
A Pennsylvania-based healthcare provider with eight locations was targeted in a ransomware attack by the threat actor Groove, who claimed to operate as an individual rather than a group. The attacker demanded a $250,000 ransom and threatened to disrupt operations by flooding offices and modifying the organization's website if payment was not made, while publicly taunting the victim via translated Russian messages. The provider's website experienced intermittent outages displaying resource limit errors, though the organization did not explicitly confirm the breach beyond posting a prominent notice on its homepage; patient care reportedly continued during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 23, 2021, TriValley Primary Care, a Pennsylvania-based medical practice operating eight locations, experienced a disruptive cyberattack attributed to the threat actor "Groove." Groove publicly claimed responsibility for the attack on their website, emphasizing they were not a criminal group but a lone individual seeking to expose media manipulation vulnerabilities. The attacker targeted TriValley’s online infrastructure, causing significant disruption to the organization’s public-facing website. Visitors attempting to access the site encountered error messages indicating resource limits had been exceeded, rendering the site intermittently inaccessible. During periods when the website remained operational, TriValley displayed a prominent notice addressing the incident, though the notice did not explicitly name Groove as the perpetrator. Groove issued a threatening message on their platform, machine-translated from Russian, demanding a $250,000 ransom payment and instructing TriValley to resume negotiations via an unspecified chat channel. The threat included warnings of escalating attacks, including flooding TriValley’s offices and further website defacements, if payment demands were not met within a 24-hour deadline.
The attack disrupted TriValley’s digital communications channels, potentially affecting patient access to online services or information during the website outages. Despite these operational challenges, the organization maintained continuity in clinical operations, continuing to provide patient care across its facilities. Groove’s public statements framed the attack as a demonstration of the ease of exploiting healthcare entities for financial gain and media attention, reflecting a deliberate targeting of the medical sector. TriValley’s public response remained limited to the website notice, with no detailed disclosures regarding the attack’s technical scope, data compromise, or containment measures. The incident highlighted the vulnerability of healthcare providers to disruptive cyber operations, particularly from actors leveraging public intimidation tactics to pressure victims. No subsequent public updates from TriValley or Groove regarding the resolution of the ransom demand or further disruptions were documented in the available source material.