Four Healthcare Providers and a Ventilator Manufacturer Attacked with Ransomware

Long Island City, NY-based Boyce Technologies Inc, which makes transport communication systems and recently switched its production facilities to produce ventilators for hospitals during the pandemic, has been attacked with DoppelPaymer ransomware. Data was stolen prior to file encryption and a sample of the stolen data has been published on the threat actor’s blog. The stolen data includes purchase orders, assignment forms, and other sensitive data.

Boyce Technologies Inc. was approved by the FDA to manufacture ventilators and was producing around 300 machines a day. Those ventilators have been used in hospitals in New York and the company is now making ventilators for other areas. The ransomware attack has threatened the production of those ventilators and has potentially put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, a network of orthopedic and sports medicine centers in the greater Atlanta area, has been attacked by threat actors using Pysa (Mespinosa) ransomware. As with the attack on Boyce Technologies, prior to the encryption of files the threat actors exfiltrated sensitive data. According to, around 3.5 GB of data have been published online, including files that contain patients’ protected health information. Olympia House Rehab in Petaluma, CA and the Center for Fertility and Gynecology in Los Angeles, CA have both been attacked with Netwalker ransomware and have had data stolen and published online, including patients’ protected health information. The Office for Civil Rights breach portal indicates the protected health information of 5,600 patients was compromised.

Muskingum Valley Health Centers in Zanesville, OH notified has recently notified 7,447 patients that some of their protected health information was potentially obtained by threat actors prior to the use of ransomware on the medical record system used by OB GYN Specialists of Southeastern Ohio Inc.

The EHR contained the records of patients who received care between 2012 and 2017. The attack occurred on May 31, 2020 and was identified on June 2. The investigation found no evidence suggesting patient information was stolen prior to the use of ransomware, although the possibility of data theft could not be ruled out. The attackers potentially had access to names, dates of birth, addresses, Social Security numbers, diagnoses, medical conditions, lab test results, treatment information, insurance claim information, and financial information. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft recovery services. Security policies, procedures and password requirements have been updated to prevent further attacks.

41 healthcare providers reported ransomware attacks in the first half of 2020 according to Emsisoft. The double-extortion attacks involving threats to publish or sell data if the ransom is not paid are growing, with many threat groups now adopting this tactic. According to Emsisoft, around 1 in 10 ransomware attacks now involve data theft.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.