Neurological Institute of Savannah breach impacts 32,548

The Neurological Institute of Savannah & Center for Spine, P.C. (NeuroSav) has disclosed a significant data breach affecting 32,548 individuals. The breach, which occurred over several weeks in mid-2024, involved unauthorized access and data acquisition by the RansomHub ransomware group. The group later posted samples of stolen data online.   

What happened

According to a notice issued by NeuroSav and reports to federal regulators, an unauthorized party gained access to and acquired certain electronic files from the Institute’s computer systems between approximately June 1, 2024, and July 21, 2024. NeuroSav stated that upon detecting the unauthorized activity, it immediately contained the incident and launched an investigation with leading cybersecurity experts.

Adding to the situation, the RansomHub ransomware group claimed responsibility for the attack. On July 26, 2024, RansomHub reportedly posted a sample of the stolen data on a dark web portal, threatening to release the rest of the data within two weeks unless their unspecified demands were met. The Institute's internal review and forensic investigation later confirmed, on or around January 24, 2025, that files potentially acquired by the unauthorized party contained sensitive patient information.

What's new

NeuroSav officially reported the breach to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights on May 1, 2025, confirming 32,548 individuals were affected. The compromised data for most patients included full names, dates of birth, medical record numbers, diagnosis and condition information, lab results, MRI imaging, CPT codes, medication information, healthcare claims information, and/or subscriber numbers. For a limited number of individuals, Social Security numbers were also involved. NeuroSav is in the process of sending written notification letters to affected individuals and is offering complimentary credit monitoring services specifically to those whose Social Security numbers were compromised.   

Why it matters

This breach is severe due to the highly sensitive nature of neurological and spine-related protected health information (PHI) involved, coupled with the confirmed exfiltration of data by a known ransomware group and their public threats to release it. The inclusion of Social Security numbers for some patients further elevates the risk of identity theft and financial fraud. The public posting of sample data by the attackers demonstrates a clear intent to misuse the stolen information.

What they're saying

In its public notice, NeuroSav stated, "The privacy and security of the personal information we maintain is of the utmost importance to The Neurological Institute of Savannah & Center for Spine, P.C (“NeuroSav")." The institute added, "We have no evidence that any protected health information has been or will be misused for identity theft or financial fraud as a direct result of this incident." However, they also advised individuals to remain vigilant. Some attorneys and firms are investigating the breach for potential legal action on behalf of affected patients.   

The big picture

This incident shows the aggressive tactics of ransomware groups like RansomHub, which not only encrypts data but also exfiltrates it for double extortion. The timeline, breach in mid-2024, RansomHub's public data leak threat in July 2024, NeuroSav's internal confirmation of patient data involvement in January 2025, and HHS’s notification in May 2025 point to a complex and lengthy investigation process. It proves the significant challenges healthcare providers face in defending against and responding to sophisticated cyberattacks.

FAQs

What is ransomware?

Ransomware is a type of malicious software (malware) that encrypts a victim's files or entire computer systems, making them inaccessible. Attackers then demand a ransom payment in exchange for the decryption key to restore access.

What are the consequences of not meeting a ransomware group’s demands?

If a victim does not pay the ransom, the primary consequence is often the permanent loss of access to the encrypted data, especially if viable backups are not available or were also compromised. Non-payment can also lead to the ransomware group publicly releasing the stolen sensitive information on the dark web, selling it to other cybercriminals, or using it for further malicious activities like identity theft or fraud against the individuals whose data was exposed. This can result in significant reputational damage, regulatory penalties, and legal liabilities for the breached organization, in addition to harm to affected individuals

What is data exfiltration?

Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or network. In the context of ransomware attacks, it refers to the process where attackers steal copies of an organization's sensitive data before encrypting the original files on the victim's systems. This stolen data is then used as leverage in a "double extortion" tactic where attackers not only demand payment for the decryption key but also threaten to publish or sell the exfiltrated data if their demands are not met.