Pittsburgh Gastroenterology Associates has confirmed a ransomware attack that exposed sensitive patient data and disrupted operations. The ransomware group Sinobi is thought to be behind the attack.
Pittsburgh Gastroenterology Associates (PGA) was hit by a ransomware attack. According to Claim Depot, on 20 August 2025, the ransomware group Sinobi posted PGA on a dark-web leak site, claiming it had gained unauthorized access to the organization’s systems and exfiltrated data.
While the exact number of affected individuals has not been publicly confirmed, the breach notice indicates “thousands” of current and former patients may have been impacted.
According to a data breach notice published on the website, “PGA experienced a network disruption on August 12, 2025. Upon discovering the incident, PGA immediately took steps to secure the network environment and engaged cybersecurity experts to conduct an investigation. The investigation determined that certain files may have been acquired without authorization. PGA then undertook a comprehensive review of the data potentially impacted in this incident to determine whether personal information may have been involved. After a thorough review of the impacted data, which concluded on August 28, 2025, it was determined an unauthorized third party may have acquired certain individual health information during this incident. PGA is providing written notice to all impacted individuals. PGA has no reason to believe that any individual’s information has been misused as a result of this event.” The breach notice further notes that “the following information could have been acquired and disclosed by an unauthorized third party: first name, last name, date of birth, phone number, email address, health insurance information, and diagnosis/condition. Notably, the types of information affected were different for each individual, and not every individual had all the above listed elements exposed.”
Nick Heesters, the OCR's senior advisor for cybersecurity, notes that from 2019 to 2023, ransomware incidents aimed at entities regulated by HIPAA have surged by 102%. In response, the Office for Civil Rights (OCR) released updated ransomware prevention guidance to help covered entities and business associates strengthen cybersecurity and maintain HIPAA compliance.
The guidance points out weaknesses commonly found during investigations, including weak access controls, lack of multi-factor authentication, inadequate backups, poor incident response, and insufficient phishing training. OCR stresses that ransomware attacks often qualify as data breaches under HIPAA if protected health information (PHI) is encrypted or exfiltrated.
Healthcare organizations are urged to review their security risk assessments, enforce least-privilege access, implement a “3-2-1” backup strategy, and ensure workforce members are trained to spot phishing attempts. By proactively following OCR’s recommendations, entities can reduce the likelihood of a breach, limit downtime, and demonstrate compliance in the event of an investigation.
Go deeper: OCR releases ransomware prevention guidance
Ransomware attacks affecting healthcare organizations continue to increase, threatening patient privacy, care delivery, and institutional trust. The Pittsburgh Gastroenterology Associates breach stresses how such incidents can expose sensitive data, disrupt operations, and trigger costly HIPAA investigations.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Ransomware is malicious software that encrypts an organization’s data or locks systems, demanding payment (a ransom) to restore access. Attackers often threaten to leak stolen data if demands aren’t met.
Ransomware attacks that result in unauthorized access to protected health information are typically considered HIPAA breaches. The organization must report the incident to the U.S. Department of Health and Human Services and affected individuals.
No. Paying ransom does not guarantee that hackers will decrypt files or delete stolen data. It also encourages further attacks.
Learn more: To pay or not to pay: Cyberattack ransoms in healthcare