Cyber Incident Victim: Wood Ranch Medical
Date:
Aug 2019
Location:
United States of America
Summary
Wood Ranch Medical ceased operations following a ransomware attack that encrypted all patient records and backup systems, rendering data recovery impossible. The incident compromised sensitive patient information including names, contact details, dates of birth, insurance data, and health records. Although attackers appeared solely focused on extortion rather than data theft, the irreversible system damage forced the practice to permanently close while assisting patients in transitioning care. This marked the second known healthcare provider closure due to ransomware within a year, following similar circumstances where decryption demands went unmet and critical systems were destroyed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2019, Wood Ranch Medical (WRM), a California-based healthcare provider, experienced a ransomware attack that encrypted all patient records stored on its servers, including backup hard drives. The encryption rendered the data completely inaccessible, with officials determining that recovery was not technically feasible due to the severity of the damage to their computer systems. This irreversible data loss prevented WRM from rebuilding its medical records, directly leading to the decision to permanently cease operations. The practice announced it would close on December 17, 2019, giving patients approximately three months to transition their care to other providers. Officials indicated the attackers appeared motivated solely by financial gain through ransom demands rather than intent to steal or misuse patient data. Despite this assessment, WRM acknowledged the encrypted servers contained sensitive patient information, including names, contact details, dates of birth, medical insurance information, and health-related data. The inability to restore clinical records eliminated the foundation necessary for continuing medical operations, forcing closure.
WRM formally notified patients about the security incident and impending shutdown, advising them to seek new healthcare providers before the December closure date. The practice committed to assisting patients with this transition during the interim period but confirmed no medical services would be available after the termination date. This incident marked the second ransomware-related closure of a U.S. healthcare provider within a year, following Michigan’s Brookside ENT and Hearing Center, which shut down after refusing to pay a $6,500 ransom demand when attackers wiped its encrypted systems. WRM did not disclose whether a ransom was demanded or paid in their case. The attack’s primary operational consequence was the total destruction of critical medical records and backups, which proved insurmountable for the practice’s continuity. Patient care disruption extended beyond data loss, requiring hundreds of individuals to establish new provider relationships amid fragmented access to their historical medical information.