Cyber Incident Victim: Leon Medical Centers
Date:
Nov 2020
Location:
United States of America
Summary
A Florida healthcare provider suffered a ransomware attack by the Conti group, compromising sensitive patient and employee data through a malicious document exploiting an unpatched SMBv3 vulnerability. The attackers exfiltrated and published extensive personal information, including names, social security numbers, medical diagnoses, procedure details, and insurance records on the dark web to pressure the organization into paying a ransom. The breach potentially affected hundreds of thousands of individuals, prompting engagement with cybersecurity experts to investigate and notify impacted parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2020, Leon Medical Centers discovered a malware attack compromising its systems, publicly disclosing the incident in January 2021. The attack originated when an employee opened a malicious document containing exploit code targeting a critical SMBv3 remote code execution vulnerability, which Microsoft had patched in March 2020 but remained unaddressed in the healthcare provider’s environment. The Conti ransomware gang claimed responsibility for the intrusion, deploying ransomware after initial access and exfiltrating sensitive data. Attackers published extensive patient and employee records on the dark web, including names, addresses, Social Security numbers, Medicaid identifiers, health insurance details, medical diagnoses, prescription histories, and scan results. Specific examples included a spreadsheet titled “2018_colonoscopies” listing 102 patients’ procedure dates, diagnostic outcomes, and colonoscopy statuses. The breach impacted hundreds of thousands of current and former patients and staff across Leon’s eight Florida locations.
Leon Medical Centers engaged third-party cybersecurity experts to investigate the breach’s scope and mitigate further damage. Spokesperson Yolanda Foster confirmed the organization would directly notify affected individuals but did not specify a timeline. Conti’s data leak tactic aligned with its extortion strategy, though the article did not confirm whether Leon received or paid a ransom demand. The US Department of Health and Human Services had issued an October 2020 advisory warning healthcare providers about Conti and Ryuk ransomware threats, highlighting their targeting of medical institutions. Despite this alert, Leon’s systems remained vulnerable to the patched SMBv3 exploit for over eight months prior to the attack. Published patient data exposed individuals to potential identity theft, medical fraud, and privacy violations due to the sensitivity of diagnostic and procedural records. The incident underscored operational disruptions and reputational damage to the healthcare provider while demonstrating attackers’ willingness to weaponize personal health information even without confirmed ransom payment.