Wayne Memorial Hospital patients received notification recently about a ransomware group that stole their protected health information (PHI) fifteen months ago. The 84-bed rural hospital located in Jessup, Georgia, sent personal notifications to the 163,400 patients impacted by the data breach. Wayne Memorial Hospital first discovered the ransomware attack on June 3, 2024. According to the forensic investigation, the ransomware group gained access to its system between May 30, 2024, and June 3, 2024.
The threat group extracted files that contain patient records, encrypted the files in the system, and required a ransom payment to stop the data exposure and to get the decryption keys. When the hospital discovered the attack, it disconnected the network and shut down systems to control the attack. Though no ransom payment was made, the hospital succeeded in recovering the files from backups. The Monti ransomware group said it conducted the attack and included Wayne Memorial Hospital on its data leak website. The data leak website is no longer accessible to the public, but the post got about 300,000 views while it was live.
According to the breach notification letters, the compromised data differs from person to person and consists of names along with the following data: name, birth date, driver’s license number, Social Security number, state ID number, financial account number, user ID and password, debit or credit card number, expiration date or CVV code, medical insurance member number, Medicare or Medicaid number, doctor number, diagnoses, health background, treatment data, prescription details, and laboratory test data or images.
Wayne Memorial Hospital explained that it secured its systems immediately and implemented more cybersecurity measures, like HIPAA encryption, to avoid the same incidents later on. The data breach’s first announcement was on August 2, 2024, roughly one year ago. The hospital issued a press release to alert the patients about the exposure of their sensitive information; nevertheless, it took a lot of time to analyze the breached records and send notifications.
On August 27, 2025, the hospital began mailing individual notification letters and offered free credit monitoring and identity theft protection services to those affected. The data breach report submitted to the HHS’s Office for Civil Rights initially indicated that up to 2,500 individuals were affected. However, the breach was more serious than initially approximated, according to the Maine Attorney General’s notification. There is no update yet on the HHS Office for Civil Rights breach portal regarding the most recent figure.
Image credit: MP Studio, AdobeStock / logo©WayneMemorialHospital
