Memorial Hospital & Manor faces scrutiny over ransomware attack and data leak

Memorial Hospital & Manor (MH-M), a healthcare facility based in Georgia, is facing growing concerns over its handling of a ransomware attack that compromised the sensitive information of over 120,000 individuals. The attack, which reportedly took place on November 1, 2024, was discovered by the hospital a day later, yet months passed before any public disclosure was made.

According to WALB, MH-M first acknowledged the incident through a Facebook post, which has since been removed. The hospital did not immediately notify the U.S. Department of Health and Human Services (HHS), failing to even provide a placeholder indicating an unknown number of affected patients. It was only on February 8, 2025, that MH-M formally reported the breach to the Maine Attorney General’s Office, revealing that 120,085 individuals were impacted. However, to date, no record of the incident has appeared on HHS’s public breach tool, raising further concerns about the hospital’s transparency.

On February 10, MH-M published a substitute notice on its website, describing the breach as a "data security incident." The notice did not mention that the attack was the result of ransomware or disclose the identity of the attackers. While the hospital acknowledged that an unauthorized entity accessed and acquired patient data—including names, Social Security numbers, dates of birth, health insurance details, and medical histories—there was no mention of whether this information had been leaked publicly.

Despite the hospital’s omission, reports confirm that the Embargo ransomware group was behind the attack. The group claimed to have exfiltrated 1.15 terabytes of data, which they later published after MH-M refused to meet their ransom demands. According to an inquiry by DataBreaches, Embargo representatives stated that MH-M had engaged in negotiations, offering $500,000 as payment, an amount that the hackers ultimately declined. The full extent of the leaked data remains unclear, but given the nature of the stolen information, affected individuals could face heightened risks of identity theft and fraud.

MH-M has maintained that it promptly reported the incident to the FBI but has provided no explanation for its failure to notify HHS. As of February 14, inquiries made by DataBreaches regarding this issue remain unanswered.

The breach raises critical questions about MH-M’s approach to crisis management and regulatory compliance. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations are required to report data breaches affecting 500 or more individuals to HHS without unreasonable delay. The continued absence of an entry on HHS’s breach portal suggests a possible failure in following established protocols.

While MH-M’s decision not to pay the ransom aligns with FBI recommendations against rewarding cybercriminals, cybersecurity experts argue that transparency is essential in mitigating the damage caused by such attacks. By not openly acknowledging the ransomware element or warning affected patients of their data’s exposure on the dark web, the hospital risks leaving individuals unaware of the potential threats they now face. With no response from MH-M and no formal acknowledgment from HHS, the situation remains unresolved. Whether the hospital will face regulatory consequences for its delayed disclosure and lack of transparency is yet to be determined.