Cyber Incident Victim: Medical Management, Inc.
Date:
Nov 2020
Location:
United States of America
Summary
Medical Management, Inc. experienced a ransomware attack involving data exfiltration by the Maze Team threat actors, resulting in unauthorized access to electronic claims processing files containing protected health information and health insurance details. The compromised data was publicly disclosed on the attackers' dedicated leak site, yet no notifications to regulators or affected individuals were observed, and the entity did not respond to inquiries regarding breach response efforts. Despite evidence of sensitive data exposure, no public statements or regulatory filings acknowledging the incident were identified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Medical Management, Inc. (MedMan) experienced a ransomware attack involving data exfiltration by the Maze Team threat actors, with the incident publicly disclosed through Maze’s dedicated leak site. The attackers accessed and dumped electronic claims processing files containing protected health information (PHI), including health insurance details. DataBreaches.net identified the listing on Maze’s site but could not determine the exact date of the initial compromise or exfiltration, though evidence suggested the data theft occurred approximately four months prior to November 3, 2020. Maze’s operational model involved exfiltrating victim data before encrypting systems, then threatening to publish the data unless ransom demands were met. MedMan’s files were among those publicly dumped, confirming unauthorized access to sensitive patient information. No media coverage or public statements from MedMan were identified at the time of the leak’s discovery.
DataBreaches.net contacted MedMan via email on November 3, 2020, seeking confirmation of the incident, details about response actions, and whether affected individuals or regulators had been notified. The organization did not respond to these inquiries. As of the article’s publication date, no breach notification appeared on MedMan’s website, in press releases, or on the U.S. Department of Health and Human Services (HHS) public breach portal. HIPAA regulations required covered entities to report breaches affecting 500 or more individuals within 60 days of discovery, but MedMan’s absence from HHS’s database indicated no formal reporting had occurred within that timeframe. The lack of public disclosure left patients uninformed about the exposure of their health insurance information and other PHI. The Maze Team’s shutdown of operations in late 2020 complicated efforts to verify whether MedMan negotiated with the attackers or secured data deletion. The incident exemplified broader challenges in ransomware response, where delayed or absent notifications hindered patients’ ability to mitigate risks from exposed health data.