In September 2022, DataBreaches broke the story of how Hive had attacked Tift Regional Medical Center in Georgia between July and August. The attack did not involve encryption of systems but Hive claimed to have exfiltrated about 1 TB of data, including files with protected health information.
On October 14, Tift notified HHS of an incident. They used 500 as the number affected, which suggested that at that point, they had not yet determined exactly how many patients had been affected.
On August 11, 2023, Tift notified the Maine Attorney General’s Office of the incident and reported that 180,142 people were affected. It is not clear from their notification how many of those were patients, and the entry on HHS’s public breach has not been updated yet.
Tift’s letter to patients does not reveal that data was shared with journalists or leaked on the dark web. Nor does it explain why, if there was no encryption, it took them a year from discovery to make notifications.