Cyber Incident Victim: Bolton Street Pediatrics
Date:
Feb 2021
Location:
United States of America
Summary
Bolton Street Pediatrics fell victim to a ransomware attack by the Pysa threat actor group, which exfiltrated sensitive patient data before encrypting files. The attackers, known for targeting medical and educational entities, exposed over 1,000 patients' information, including medical histories and Social Security numbers, but the organization did not publicly disclose the breach or notify affected individuals despite evidence of the compromise. Pysa typically publishes stolen data from non-paying victims on their dark web leak site, as seen in contemporaneous attacks on other healthcare providers who opted against disclosure, contrasting with three peer entities that reported incidents to regulators and issued patient notifications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Pysa threat actor group, also known as "Protect Your System Amigo," targeted Bolton Street Pediatrics in a ransomware attack occurring prior to November 2020, part of a broader campaign against U.S. medical entities. Pysa utilized Mespinoza ransomware to encrypt files after exfiltrating sensitive patient data, operating under a ransomware-as-a-service model common among "big-game hunter" groups focused on high-value sectors like healthcare. The attackers employed double extortion tactics, threatening to publish stolen data on their dark web leak site if ransoms remained unpaid. Forensic evidence confirmed the compromise of protected health information belonging to over 1,000 pediatric patients, including Social Security numbers and medical histories. This attack followed documented alerts from the FBI and France's CNIL earlier in 2020 warning about Pysa's evolving capabilities against vulnerable networks.
Despite confirmation of data exposure through Pysa's leak site and peer disclosures, Bolton Street Pediatrics did not file a breach report with HHS or issue public notifications to affected patients by the time of reporting. This contrasted with three other medical providers in the same attack wave—Assured Imaging, OrthoAtlanta, and Woodholme Gastroenterology—that disclosed incidents impacting hundreds of thousands of patients collectively. The absence of disclosure left patients unaware of potential identity theft risks from exposed SSNs and medical details. No containment measures, forensic findings, or post-incident adjustments were publicly documented by Bolton Street Pediatrics. The attack exemplified Pysa's continued focus on healthcare targets and the operational challenges in tracking breach outcomes when entities avoid regulatory reporting obligations.