NC Pathology Practice Alerts 236,000 Patients About Data Breach

A hacking incident involving Marlboro-Chesterfield Pathology, a North Carolina-based provider of pathology and cytology services, has prompted the notification of nearly 236,000 patients. The breach, which reportedly occurred in January, is attributed to the ransomware group known as SafePay, which has emerged as a significant threat in recent months.

The practice reported the data breach to the U.S. Department of Health and Human Services on May 9, detailing unauthorized access to a network server affecting 235,911 individuals. According to a notice posted on its website, Marlboro-Chesterfield Pathology indicated that unauthorized activity was detected on its internal IT systems around January 16. The laboratory confirmed that an investigation revealed that specific records had been accessed and taken by an unauthorized party.

Following an extensive inquiry concluding on March 31, it was determined that certain patient data was among the records compromised in the breach. The laboratory stated, “We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized party was deleted,” while highlighting efforts to secure their IT infrastructure since the incident was discovered.

Compromised information in the breach includes personal details such as names, addresses, dates of birth, medical treatment history, and health insurance data. Ransomware.live, a security monitoring group, has linked the attack to SafePay, which has been implicated in at least 178 incidents since its inception in November 2024. Legal representatives from the Lyon Firm, which is investigating the potential for class action litigation against the pathology group, also confirmed SafePay’s involvement.

Darkweb analyses reveal that SafePay claimed responsibility for the attack through a post dated January 25, and monitoring platforms have noted the presence of Marlboro-Chesterfield Pathology on SafePay’s data leak site; however, the data was reported removed by the following Friday. SafePay, believed to be developed from leaked LockBit source code, has characteristics including a ransom note titled readme_safepay.txt and encrypted file extensions that distinguish it within the ransomware landscape.

In response to the attack, Marlboro-Chesterfield Pathology reported that it has implemented measures aimed at preventing further unauthorized access and enhancing the security of its networks. The organization has not immediately provided additional details regarding the nature of the hacking incident when approached for comment.

In evaluating the tactics used in this breach against the MITRE ATT&CK framework, techniques such as initial access via exploitation of vulnerabilities, persistence through unauthorized access, and potential privilege escalation can be inferred. This incident illustrates the escalating risks healthcare providers face in the realm of cybersecurity, reinforcing the importance of robust security protocols and incident response strategies to safeguard sensitive patient information.