Wayne Memorial Hospital Notifies 163,000 Patients About May 2024 Ransomware Attack
Wayne Memorial Hospital patients have recently been notified that some of their protected health information was stolen by a ransomware group fifteen months ago. Wayne Memorial Hospital, a rural 84-bed hospital in Jessup, Georgia, has recently mailed individual notifications to the 163,400 patients affected by the incident. The ransomware attack was first identified on June 3, 2024, and the forensic investigation revealed that the ransomware group had access to its network from May 30, 2024, to June 3, 2024.
The ransomware group exfiltrated files containing patient data, encrypted files on its network, and demanded a ransom payment to prevent the publication of the data and to obtain the keys to decrypt data. When the attack was identified, the network was disconnected, and systems were taken offline to contain the attack. The ransom was not paid, and files were successfully recovered from backups. The Monti ransomware group claimed responsibility for the attack and added Wayne Memorial Hospital to its data leak site. While the leak site is not currently accessible, the posting received almost 300,000 views while it was live.
The breach notification letters explain that the information involved varies from individual to individual and includes names in combination with some or all of the following: name, date of birth, Social Security number, driver’s license number, state identification number, user identification and password, financial account number, credit or debit card number, credit card expiration date or CVV code, Medicare or Medicaid number, health insurance member number, healthcare provider number, diagnoses, medical history, treatment information, prescription information, and lab test results or images.
Wayne Memorial Hospital said its systems were quickly secured, and additional cybersecurity measures have been implemented to prevent similar incidents in the future. The data breach was first announced more than a year ago on August 2, 2024, and a press release was issued to local media to put patients on alert that their sensitive data had been exposed; however, it has taken a considerable amount of time to review the affected files and issue notifications.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Individual notification letters started to be mailed on August 27, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The data breach was initially reported to the HHS’ Office for Civil Rights as affecting up to 2,500 individuals; however, the breach turned out to be more severe than that initial estimate, based on the notification to the Maine Attorney General. The HHS’ Office for Civil Rights breach portal has yet to be updated with the latest figure.
