Full Report
There are various reasons entities may not want to disclose a data breach or respond to journalists’ inquiries. But when entities do not disclose a breach or deny it, and they do not respond to inquiries, they risk threat actors controlling the narrative. And if threat actors control the narrative, the entity may appear to... Source
Analysis Summary
# Incident Report: Virginia Urology Data Exposure and Lack of Disclosure
## Executive Summary
Virginia Urology (VU) appears to have suffered a significant data breach on November 9, 2025, resulting in the exfiltration of 927 GB of data, including extensive protected health information (PHI). The threat actor, identified as MS13-089 (a group claiming expertise from Conti, Royal, and LockBit), began leaking data publicly without demanding a ransom, stating they did not encrypt the data to avoid harming patients. Virginia Urology has remained silent and failed to respond to inquiries from journalists regarding the incident, leading to an uncontrolled narrative environment.
## Incident Details
- **Discovery Date:** December 12, 2025 (Date of initial public report/leak verification by DataBreaches.Net)
- **Incident Date:** November 9, 2025 (Date of exfiltration claimed by threat actor)
- **Affected Organization:** Virginia Urology (VU)
- **Sector:** Healthcare (Medical Practice)
- **Geography:** Richmond, Virginia, USA
## Timeline of Events
### Initial Access
- **Date/Time:** November 9, 2025 (Claimed)
- **Vector:** Not explicitly stated, but implied external compromise leading to data exfiltration.
- **Details:** Threat actors (MS13-089) accessed VU systems and stole 927 GB of data.
### Lateral Movement
- *Details not provided in the source material.*
### Data Exfiltration/Impact
- **Date/Time:** Post-November 9, 2025, data began leaking publicly around December 12, 2025.
- **Impact:** Exfiltration of 927 GB of data, including patient reports, referrals, detailed medical histories, and PHI stored in plain text.
### Detection & Response
- **Date/Time:** DataBreaches.Net contacted VU via LinkedIn twice in the week leading up to December 12, 2025.
- **Response actions taken:** VU has taken no publicly disclosed response actions. They have not confirmed or denied the breach and have ignored media inquiries.
## Attack Methodology
- **Initial Access:** Unknown/Unspecified external compromise.
- **Persistence:** Unknown/Unspecified.
- **Privilege Escalation:** Unknown/Unspecified.
- **Defense Evasion:** Unknown/Unspecified.
- **Credential Access:** Unknown/Unspecified.
- **Discovery:** Unknown/Unspecified.
- **Lateral Movement:** Unknown/Unspecified.
- **Collection:** Gathering of 927 GB of internal documents, including patient reports and referrals.
- **Exfiltration:** Data was exfiltrated prior to any public disclosure.
- **Impact:** Public exposure of sensitive patient data; the threat actors chose not to deploy ransomware.
## Impact Assessment
- **Financial:** Not explicitly stated, but potential costs related to regulatory penalties (HIPAA) and remediation are implied.
- **Data Breach:** 927 GB of data exfiltrated. Data included extensive Personally Identifiable Information (PII) and Protected Health Information (PHI) such as patient names, dates of birth, account numbers, insurance details, physical addresses, phone numbers, detailed medical histories, surgical reports, and medication lists, often stored in plain text.
- **Operational:** No immediate mention of operational disruption (e.g., ransomware encryption).
- **Reputational:** Significant risk due to the public data leak and the organization's subsequent silence, potentially leading stakeholders to perceive the entity as "covering up a breach, incompetent, or indifferent."
## Indicators of Compromise
*No specific, defanged IPs or URLs were provided for IOCs, as the focus was on the narrative and disclosure failure.*
- **Behavioral indicators:** Threat actor self-identified as MS13-089, claiming ties to experienced ransomware groups (Conti, Royal, LockBit).
## Response Actions
- **Containment measures:** None publicly disclosed by VU.
- **Eradication steps:** None publicly disclosed by VU.
- **Recovery actions:** None publicly disclosed by VU, including support for affected patients.
- **Communication:** Zero communication from VU to the media, website, or social media regarding the incident.
## Lessons Learned
- Failure to promptly disclose a significant data breach, especially one involving sensitive PHI, allows threat actors to control the public narrative completely.
- Storing key identifying data such as patient names and DOBs in plain text filenames increases the exposure risk during a breach.
- Lack of communication can lead to greater reputational damage than acknowledging an incident swiftly.
## Recommendations
- Immediately investigate the compromise to determine the full scope and root cause.
- Develop and execute a transparent communication plan, addressing regulatory notification requirements (e.g., HIPAA).
- Audit data storage and naming conventions to ensure PHI/PII is encrypted or sufficiently masked, especially in filenames.
- Establish formal incident response communication protocols for engaging with media inquiries during a security event.