Cyber Incident Victim: Tift Regional Medical Center
Date:
Jul 2022
Location:
United States of America
Summary
Tift Regional Medical Center experienced a ransomware attack by the Hive group, compromising approximately 1 TB of sensitive data including patient medical records, employee information, internal communications, and financial documents. The attackers demanded $1.15 million during negotiations, later reducing their demand to $225,000 while disputing the hospital's claims of financial constraints by referencing known cyber insurance coverage. Despite the healthcare organization offering $100,000, negotiations collapsed with Hive threatening to publish stolen data, though no confirmed leak occurred at the time of reporting; the parent organization acknowledged an ongoing investigation while disputing unspecified media inaccuracies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Tift Regional Medical Center in Georgia experienced a ransomware attack that began on July 14, 2022, and concluded on August 8, 2022. The Hive ransomware group claimed responsibility for the breach, asserting they had exfiltrated approximately 1 terabyte of data during the intrusion. The compromised information allegedly included medical records, employee private information, internal corporate documents, and email communications between the hospital and its patients or partners. Hive initiated contact with Tift Regional on August 25, 2022, via email, disclosing the breach and providing a link to view a sample comprising 25% of the stolen data. This sample contained employee and patient details, financial audits, accounting records, and internal operational files. The attackers also furnished a timeline outlining their activities during the intrusion period.
Negotiations commenced on August 26 when a Tift representative responded to Hive’s communication. Hive demanded a ransom payment of $1,150,000, suggesting the hospital could retain $100,000 for legal expenses while threatening data publication if the demand was refused. By September 2, Tift’s negotiator reported their board had authorized a counteroffer of $100,000, which Hive rejected, instead lowering their demand to $225,000 while referencing their awareness of Tift’s cyber insurance coverage. Tift subsequently requested to pay the reduced $225,000 amount, but Hive dismissed this as a final offer, leading to a breakdown in negotiations. Throughout the discussions, Tift’s negotiator attempted to leverage claims of institutional underfunding, a strategy Hive contested based on their intelligence regarding the hospital’s insurance provisions. Southwell, Tift’s parent organization, did not respond to direct media inquiries but issued a public statement through Becker’s Health IT acknowledging an ongoing investigation while disputing unspecified inaccuracies in external reporting. The disposition of the stolen data remained unresolved at the time of reporting, with no confirmation of whether Hive executed their threat to publish the information.