Cyber Incident Victim: Stockdale Radiology
Date:
Jan 2020
Location:
United States of America
Summary
A ransomware attack targeted Stockdale Radiology, conducted by the Maze Team, which resulted in unauthorized access to patient data. The attackers initially exposed a limited number of files publicly, while subsequent investigation revealed additional files were accessible but not confirmed as exposed. The FBI was promptly engaged and initiated an investigation. Affected individuals were notified that their personal information might have been accessible during the breach, though there was no evidence of misuse. The incident highlighted discrepancies between the attackers' claims and the organization's characterization of data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 17, 2020, Stockdale Radiology experienced a ransomware attack attributed to the Maze Team ransomware group. The attackers notified a third-party cybersecurity journalist of the breach via email on January 18, 2020, identifying Stockdale Radiology as one of their victims and providing sample data as proof. The medical center immediately contacted the Federal Bureau of Investigation (FBI), whose personnel arrived at their offices within 30 minutes of notification to initiate an investigation. Stockdale Radiology's internal investigation confirmed that an unauthorized intruder had accessed their systems during the incident. The organization publicly disclosed through breach notifications that a limited number of files had been intentionally exposed by the attackers during the ransomware incident.
By January 29, 2020, Stockdale Radiology's investigation revealed additional files beyond those initially exposed had been accessible to the threat actor during the breach. The organization issued notifications distinguishing between files that were "publicly exposed" by the intruder and those that were merely "accessible" but not confirmed as exfiltrated or published. These notifications emphasized there was no evidence of actual misuse of personal information from either category of compromised files. The wording of these communications generated external scrutiny regarding the clarity of differentiating between data accessibility versus confirmed exposure. The Maze ransomware group's involvement represented a significant escalation, as the group was known for both encrypting victim systems and exfiltrating data to pressure organizations into paying ransoms through threats of public release.