Cyber Incident Victim: Meadville Medical Center
Date:
Mar 2020
Location:
United States of America
Summary
A healthcare organization experienced a cyberattack initially affecting its employee payroll system, followed months later by a malware incident disrupting electronic health records and email systems amid pandemic-related operational challenges. The EHR system was restored within days, but core functions required weeks to fully recover. While the institution asserted no evidence of unauthorized patient data access occurred, clinical operations relied on alternative systems during the outage. No ransomware demands were publicly acknowledged, and workforce reductions preceding the attack were unrelated to cybersecurity issues. Recovery efforts extended beyond initial projections, significantly impacting hospital infrastructure during a period of reduced patient volumes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Meadville Medical Center experienced two cybersecurity incidents in early 2020. On January 30, the organization began investigating an apparent attack targeting its employee payroll system, with initial assessments indicating no compromise of patient data. This incident preceded a more disruptive malware attack discovered on March 26, coinciding with operational strain caused by pandemic-related patient volume declines that had recently prompted hundreds of employee furloughs. The March malware infection significantly impacted critical infrastructure, disabling electronic health record systems and email communications. Hospital administrators initially projected restoration of EHR functionality within days, expressing public confidence about weekend recovery timelines.
Technical recovery efforts proved more complex than anticipated. While partial EHR access resumed five days post-attack on March 31, multiple core systems remained inoperative three weeks later, with hospital leadership projecting full restoration of primary systems during the week following April 16. Throughout the disruption, clinical operations relied on alternative documentation methods while investigators found no evidence of patient data exfiltration. The medical center explicitly denied receiving any ransom demands related to either incident. Operational challenges were compounded by preexisting workforce reductions, though officials maintained no connection between furlough decisions and cybersecurity events. Restoration priorities focused on reactivating clinical systems while maintaining emergency services throughout the extended recovery period.