In January 2025, Marlboro-Chesterfield Pathology (MCP), a full-service anatomic pathology laboratory based in North Carolina, experienced a significant cybersecurity incident involving ransomware.
What happened
On January 16, 2025, MCP discovered unauthorized activity on its internal IT systems, which prompted an immediate investigation. The results of the investigation revealed that files containing sensitive personal information had been stolen. The compromised data included names, addresses, dates of birth, medical treatment details, and health insurance information, with the specific information varying by individual.
On May 22, 2025, MCP reported to the U.S. Department of Health and Human Services (HHS) that the breach affected 235,911 individuals. The ransomware group SafePay, which had also recently attacked the business services provider Conduent, claimed responsibility for the MCP breach in late January. MCP no longer appears on SafePay’s data leak site, which may indicate that a ransom was paid, although this has not been officially confirmed.
What was said
According to MCP’s notice of data breach, “We took prompt action and quickly engaged third-party specialists to assist us in securing our systems and investigating the incident. Law enforcement is aware of the incident and we have cooperated with their investigation. The involvement of law enforcement did not delay this notification. Through a thorough investigation and extensive review of the impacted data, which concluded on March 31, 2025, we determined that some of your personal information was contained in the affected records.”
Why it matters
Healthcare organizations are increasingly targeted due to the high value of medical data on the black market and the critical nature of healthcare services, which may pressure organizations to pay ransoms quickly. The MCP breach exemplifies how such attacks can disrupt healthcare operations and compromise patient care.
It also reveals the urgent need for cybersecurity measures across the healthcare industry to protect against cyber threats and safeguard sensitive patient information.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is the first step we should take after detecting a data breach?
Immediately activate your incident response plan. Isolate affected systems to prevent further access, assess the scope and nature of the breach, and engage your cybersecurity and legal teams. Document all actions taken.
When must we report a data breach under HIPAA?
If the breach affects 500 or more individuals, you must notify affected individuals, the HHS Office for Civil Rights (OCR), and in some cases, the media within 60 days of discovery. For fewer than 500 individuals, OCR must be notified within 60 days of the end of the calendar year.
What information must be included in the patient notification?
Notices must include a brief description of what happened, the types of information involved, steps individuals can take to protect themselves, what the organization is doing in response, and contact information for further questions.
Kirsten Peremore
