Cyber Incident Victim: Accretive Health
Date:
Aug 2020
Location:
United States of America
Summary
A major medical debt collection firm experienced a ransomware attack disrupting operations and forcing system shutdowns. The incident involved Defray ransomware, known for targeting healthcare entities and typically distributed via malicious email attachments. The compromised organization managed extensive sensitive patient data, including personal identifiers, financial details, and medical records for millions nationwide through its revenue cycle management services. While the company confirmed the attack's occurrence, it withheld specifics regarding the intrusion method or ransomware variant. The disruption coincided with planned financial reporting activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early August 2020, R1 RCM Inc., a major Chicago-based medical debt collection and revenue cycle management firm, experienced a ransomware attack that forced the company to take its systems offline. The incident occurred approximately a week before August 14, coinciding with the scheduled release of the company's second-quarter 2020 financial results. R1 RCM, which reported $1.18 billion in 2019 revenue and served over 750 healthcare organizations nationwide, confirmed it had proactively shut down systems in response to the attack but declined to disclose technical details about the ransomware variant or the initial breach method. Sources familiar with the investigation identified the malware as Defray, a ransomware strain first observed in 2017 that historically targeted healthcare sector organizations. According to cybersecurity firm Trend Micro, Defray typically spreads through malicious Microsoft Office documents distributed via email campaigns, though R1 RCM did not publicly verify this infection vector in their case. The company maintained operational silence beyond acknowledging the attack, providing no timeline for system restoration or details about the scope of network compromises prior to ransomware deployment.
The attack impacted an organization managing sensitive personal, financial, and medical data for tens of millions of patients across its healthcare partners. R1 RCM's systems contained comprehensive patient records including names, dates of birth, Social Security numbers, billing details, and medical diagnostic information due to its role in revenue cycle management—a process encompassing patient registration, insurance verification, treatment documentation, and debt collection. While the exact duration of unauthorized network access prior to the ransomware activation remained undisclosed, the operational disruption occurred during a critical period for corporate financial disclosures. The company's decision to withhold specifics about containment measures, data exposure, or recovery progress left healthcare providers and patients without confirmation about potential data compromise. As a publicly traded entity on NASDAQ under ticker RCM with 19,000 employees, the incident represented a significant cybersecurity event in the healthcare financial services sector due to the sensitivity of managed data and the scale of affected healthcare organizations relying on R1 RCM's billing and collection infrastructure.