Cyber Incident Victim: Sturdy Memorial Hospital
Date:
Feb 2021
Location:
United States of America
Summary
Sturdy Memorial Hospital experienced a ransomware attack resulting in the theft of patient information, prompting the organization to pay a ransom to secure assurances that the stolen data would not be further distributed and had been destroyed. The incident impacted between approximately 42,000 and 57,000 individuals, who were offered two years of credit and identity monitoring services following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 9, 2021, Sturdy Memorial Hospital in Attleboro, Massachusetts, experienced a cybersecurity incident involving unauthorized access to its systems, resulting in the theft of patient information. The hospital publicly confirmed the breach via a statement on its website, disclosing that hackers had compromised its network and exfiltrated sensitive data. In response to the theft, the hospital engaged in negotiations with the threat actors and ultimately paid a ransom to prevent further dissemination of the stolen information. The hospital asserted that the payment secured assurances from the attackers that the data would not be distributed further and had been destroyed, though no independent verification of these claims was provided. The incident represented a confirmed case of ransomware or extortion involving protected health information, though the specific malware or attack vector used was not detailed in public disclosures. Initial reports did not specify the number of affected individuals or the exact types of data compromised at the time of the February disclosure.
The hospital began notifying regulatory bodies and affected individuals months after the incident. By May 28, 2021, Sturdy Memorial Hospital reported to the U.S. Department of Health and Human Services that 57,379 individuals had been impacted by the breach. However, on June 1, 2021, external legal counsel for the hospital provided conflicting information to the Maine Attorney General’s Office, stating that only 42,336 individuals had been notified. All affected individuals received offers for two years of complimentary credit and identity monitoring services through Experian, regardless of the discrepancy in reported figures. The hospital did not publicly clarify the reason for the variance in victim counts between the HHS and Maine AG filings. No additional technical details about containment measures, system restoration timelines, or forensic investigation findings were disclosed in the available public statements. The incident highlighted operational impacts including data loss, financial costs from the ransom payment, and reputational damage from the confirmed theft of patient records.