Cyber Incident Victim: Heartland Healthcare Services

On April 11, 2022, Heartland Healthcare Services, a Toledo, OH-based pharmacy owned by HCR-ManorCare and CVS Health, detected a ransomware attack that prevented staff from accessing files on its network. The investigation confirmed unauthorized actors exfiltrated files containing patient data prior to deploying the ransomware. A ransom demand was issued by the attackers, but Heartland Healthcare Services consulted with the Federal Bureau of Investigation and opted not to pay. The organization subsequently discovered that some of the stolen data had been uploaded to the ransomware gang’s dark web data leak site, indicating public exposure of sensitive information. Forensic analysis determined the breach impacted 2,763 patients who had received medications through Heartland Pharmacy of Pennsylvania, Heartland Pharmacy of Maryland, or Heartland Pharmacy of Illinois.

The compromised files contained names, addresses, telephone numbers, medication names, and other medication-related details. Heartland Healthcare Services did not identify evidence of Social Security numbers, financial data, or medical diagnoses being stolen, limiting the scope to demographic and prescription information. Following the attack, the organization implemented strengthened security measures to prevent future incidents, though specific technical controls were not disclosed in public reports. No statements indicated whether law enforcement investigations led to identifying the threat actors. The breach notification process confirmed all affected individuals were alerted, but the article did not specify whether credit monitoring services were offered, as the exposed data types did not include high-risk identifiers like Social Security numbers. The confirmed exfiltration and subsequent dark web publication established this as a data theft incident rather than solely a disruptive ransomware event.