Cyber Incident Victim: Oregon Anesthesiology Group

On July 11, 2021, Oregon Anesthesiology Group (OAG) experienced a ransomware attack that locked the organization out of its servers, disrupting operations and forcing a complete restoration of systems from off-site backups. The attack necessitated rebuilding OAG’s IT infrastructure from the ground up, with the organization engaging outside cybersecurity experts to investigate the incident. The FBI contacted OAG on October 21, 2021, informing them that accounts associated with the Ukrainian HelloKitty ransomware group—seized by law enforcement—contained sensitive OAG patient and employee files. Forensic analysis determined that attackers had compromised administrator credentials after gaining initial access, enabling them to data-mine and exfiltrate encrypted data. The breach impacted approximately 750,000 patients and 522 current and former employees, with compromised patient data including names, addresses, dates of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers. Employee data exposed names, addresses, Social Security numbers, and details from W-2 forms.

OAG received a finalized cyber forensics report in late November 2021 confirming the extent of the credential compromise and data access. In response, OAG replaced its third-party firewall infrastructure and expanded multifactor authentication across systems to strengthen security controls. The organization notified affected individuals and offered 12 months of Experian identity protection services and credit monitoring. For individuals whose Social Security numbers were exposed, OAG advised creating a mySocial Security account through the Social Security Administration to secure their SSNs. The incident required significant operational recovery efforts alongside coordination with federal law enforcement, though no ransomware payment or explicit extortion demands were disclosed in available reports.