Cyber Incident Victim: Tague Family Practice

Tague Family Practice, a primary care provider in St. Louis, Missouri, experienced a LockBit ransomware attack on an unspecified date prior to March 17, 2022. The threat actors publicly listed the practice on LockBit’s data leak site on March 17, subsequently releasing stolen files that contained extensive patient and employee information. The leaked data included personal and protected health information (PHI) with significant sensitivity, drawn from subfolders related to billing, processed claims, laboratory results, and other patient records. Forensic sampling indicated the data likely originated from backup systems rather than a structured electronic medical records (EMR) platform. Employee personal information was also compromised, though no payroll or tax documents were identified during initial reviews of the exposed data.

The breach exposed patients to potential identity theft and misuse of sensitive medical data, while employees faced risks from the disclosure of their personal information. Tague Family Practice did not respond to multiple inquiries from DataBreaches.net over a three-week period following the leak, leaving key questions unresolved. As of the report’s publication, no confirmation existed regarding patient notifications, the operational impact of file encryption or system corruption, or the total number of affected individuals. The incident remained absent from the U.S. Department of Health and Human Services’ public breach database, and the practice’s website showed no indications of service disruptions or public acknowledgments of the attack. The lack of transparency from the practice hindered assessments of containment efforts, remediation actions, or regulatory compliance measures.