Cyber Incident Victim: Adams County Memorial Hospital
Date:
Sep 2020
Location:
United States of America
Summary
Adams County Memorial Hospital experienced a ransomware attack by the Conti group, resulting in the exfiltration and public dumping of over a dozen files primarily containing financial or bank-related information. While no patient health records were confirmed in the initial dump, the attackers' access to systems raised concerns about potential exposure of protected health information. The acute care facility, likely subject to HIPAA requirements, did not publicly acknowledge the incident on its website or through regulatory filings with HHS at the time of reporting, leaving uncertainty regarding operational impacts and compliance with breach notification obligations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Adams County Memorial Hospital was listed on the Conti ransomware group's dedicated leak site on September 5, 2020, following a cyberattack. Conti actors dumped more than a dozen files from the hospital's systems, primarily containing financial and bank-related information. The publicly released data did not include identifiable patient health records or medical files based on initial analysis by DataBreaches.net. As an acute care facility, the hospital is likely subject to HIPAA regulations despite not explicitly referencing HIPAA compliance on its website. The attackers' possession of electronic protected health information (ePHI) remained unconfirmed at the time of reporting, creating uncertainty about whether the incident met HIPAA's breach reporting threshold.
No operational impact statements from the hospital were documented, and the entity did not respond to multiple inquiries from DataBreaches.net regarding the attack's consequences. By November 5, 2020—60 days after the leak site posting—no breach notification appeared on HHS's public disclosure portal. The hospital's website contained no advisories about the incident, and no press releases or public statements were issued acknowledging the compromise. Conti's data dump strategy typically involved incremental releases to pressure victims, leaving open the possibility of future ePHI disclosures that could confirm data exposure. The absence of confirmed patient data exfiltration complicated breach determination timelines, though the 60-day HIPAA notification window expired without regulatory filing or patient communications.