[{"data":1,"prerenderedAt":125},["ShallowReactive",2],{"article-slug-utah-surgical-practice-rmas-breach-exposes-data-of-50000-patients":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":28,"sources":29,"events":41,"mitre_techniques":45,"mitre_mitigations":62,"d3fend_countermeasures":80,"iocs":91,"cyber_observables":92,"tags":110,"extract_datetime":116,"article_type":117,"impact_scope":118,"pub_date":33,"reading_time_minutes":124,"createdAt":116,"updatedAt":116},"fe2d17d3-2449-42ea-a4ac-cda9c6a6efea","utah-surgical-practice-rmas-breach-exposes-data-of-50000-patients","Utah Surgical Practice Data Leaked by 'PEAR' Ransomware; 50,000 Patients' SSNs and Financial Info Exposed","Rocky Mountain Associated Physicians Suffers Data Breach; PEAR Ransomware Group Leaks Data of 50,640 Patients","Rocky Mountain Associated Physicians (RMAP), a Utah-based surgical practice, has reported a data breach affecting 50,640 patients. A threat group calling itself 'PEAR' (Pure Extortion and Ransom) has claimed responsibility, and after its ransom demands were not met, it leaked the stolen data on the dark web. The compromised information is highly sensitive, including patient names, Social Security numbers, medical diagnoses, and in some cases, debit/credit card numbers with PINs. The public release of this data places affected patients at extreme risk of identity theft and fraud.","## Executive Summary\n**Rocky Mountain Associated Physicians (RMAP)**, a surgical and medical weight loss practice in Salt Lake City, Utah, has been hit by a devastating cyberattack affecting 50,640 patients. The incident involved a data breach and extortion attempt by a threat group named **PEAR** (Pure Extortion and Ransom). After RMAP presumably refused to pay the ransom, the PEAR group publicly leaked the entire stolen dataset on its dark web data leak site. The compromised information is exceptionally sensitive, containing a toxic combination of protected health information (PHI), personally identifiable information (PII), and financial data. For a subset of victims, the breach exposed credit/debit card numbers along with their PINs, a rare and highly damaging event. This incident represents a worst-case scenario for a healthcare data breach, with sensitive patient data now freely available to malicious actors.\n\n## Threat Overview\nThe attack followed the double-extortion model common among modern ransomware groups, but with a focus on pure extortion rather than encryption.\n1.  **Intrusion and Data Theft:** The PEAR group gained unauthorized access to RMAP's network and, over time, located and exfiltrated the primary patient database.\n2.  **Extortion:** The group contacted RMAP, demanding a ransom payment in exchange for not leaking the stolen data.\n3.  **Data Leak:** When the ransom was not paid, PEAR published RMAP's name on its data leak site and then publicly released the stolen data for anyone to download.\n\nThe compromised data is extensive and includes:\n-   Patient names, dates of birth, contact information\n-   Social Security numbers\n-   Medical record numbers\n-   Detailed diagnosis and treatment information (PHI)\n-   Debit or credit card numbers with associated PINs (for a subset of patients)\n\n## Technical Analysis\nWhile the initial access vector is unknown, common TTPs for healthcare breaches include:\n- **Exploit Public-Facing Application:** [`T1190 - Exploit Public-Facing Application`](https://attack.mitre.org/techniques/T1190/) - Often via vulnerabilities in VPNs or other remote access solutions.\n- **Phishing:** [`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/) - Targeting employees with emails to steal credentials.\n- **Data from Information Repositories:** [`T1213 - Data from Information Repositories`](https://attack.mitre.org/techniques/T1213/) - The core of the attack was accessing and stealing from the patient database.\n- **Exfiltration Over C2 Channel:** [`T1041 - Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1041/) - The attackers had to transfer a large database out of RMAP's network.\n- **Inhibit System Recovery:** [`T1490 - Inhibit System Recovery`](https://attack.mitre.org/techniques/T1490/) - While not explicitly stated, ransomware groups often delete backups to increase pressure on the victim.\n\n## Impact Assessment\nThis is a catastrophic breach with severe consequences.\n- **Extreme Patient Risk:** The 50,640 patients are now at an immediate and extremely high risk of financial fraud, medical identity theft, and targeted social engineering scams. The combination of SSN, PHI, and financial data is a goldmine for criminals.\n- **Regulatory Penalties:** RMAP faces substantial fines under **[HIPAA](https://www.hhs.gov/hipaa/index.html)**. The public leaking of data and the exposure of financial info with PINs will likely be seen as aggravating factors by regulators.\n- **Class-Action Lawsuits:** The practice will almost certainly face costly class-action lawsuits from the affected patients.\n- **Reputational Obliteration:** For a medical practice, patient trust is everything. A breach of this magnitude, resulting in the public release of the most sensitive data imaginable, could be an existential event for the organization.\n- **PCI-DSS Violations:** The storage and subsequent breach of card numbers with PINs is a severe violation of the Payment Card Industry Data Security Standard (PCI-DSS) and will result in heavy fines from payment card brands.\n\n## Cyber Observables for Detection\nHunting for this activity involves looking for signs of database compromise and exfiltration.\n| Type | Value | Description |\n|---|---|---|\n| log_source | Database Audit Logs | Monitor for queries accessing large tables in their entirety, especially from non-standard application accounts or at unusual times. |\n| network_traffic_pattern | Sustained Egress Traffic | Look for large, sustained outbound data flows from the database server to an external IP address. |\n| file_path | `C:\\Windows\\Temp\\` | Attackers often stage stolen data in temporary directories as compressed archives (`.zip`, `.rar`, `.7z`) before exfiltration. Monitor for large file creation in these locations. |\n\n## Detection & Response\n- **D3FEND: File Analysis:** Implement file integrity monitoring and analysis on critical servers. Configure it to alert on the creation of large archive files in unusual locations, as this is a common data staging technique. This relates to [`D3-FA: File Analysis`](https://d3fend.mitre.org/technique/d3f:FileAnalysis).\n- **D3FEND: Network Traffic Analysis:** Use DLP and network analysis tools to detect the exfiltration of structured data (like SSNs and credit card numbers) and to alert on anomalous traffic volumes from sensitive internal servers to the internet. This is a core use case for [`D3-NTA: Network Traffic Analysis`](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis).\n- **Assume Breach Mentality:** Regularly conduct threat hunts within the network, assuming an attacker is already present. Hunt for signs of lateral movement, credential dumping, and data staging.\n\n## Mitigation\n> **CRITICAL WARNING:** Storing credit/debit card PINs is a gross violation of PCI-DSS compliance and general security best practices. No system should ever store PINs in a recoverable format.\n\n- **PCI-DSS Compliance:** Do not store sensitive authentication data post-authorization. This includes PINs, CVV codes, and full magnetic stripe data. This is a fundamental and non-negotiable security requirement.\n- **Data Encryption:** All sensitive data (PHI, PII, financial) must be encrypted both at rest (in the database) and in transit (over the network). This is a requirement under HIPAA.\n- **Network Segmentation:** Isolate the patient database server in a highly restricted network segment. Only specific, authorized application servers should be ableto communicate with it. This is a key part of [`M1030 - Network Segmentation`](https://attack.mitre.org/mitigations/M1030/).\n- **Backup and Recovery:** Maintain immutable, offline backups of critical data. While this wouldn't have prevented the data leak, it is essential for recovery from the encryption phase of a ransomware attack.","CRITICAL BREACH: Utah's RMAP hit by 'PEAR' ransomware. Data of 50k patients, including SSNs & financial info with PINs, leaked on the dark web after ransom wasn't paid. 🏥 #Ransomware #DataBreach #Healthcare #HIPAA","The PEAR ransomware group has leaked the data of over 50,000 patients from Rocky Mountain Associated Physicians (RMAP), including SSNs, medical records, and financial data with PINs.",[13,14,15],"Ransomware","Data Breach","Threat Actor","critical",[18,21,24],{"name":19,"type":20},"PEAR (Pure Extortion and Ransom)","threat_actor",{"name":22,"type":23},"Rocky Mountain Associated Physicians (RMAP)","company",{"name":25,"type":26,"url":27},"HIPAA","technology","https://www.hhs.gov/hipaa/index.html",[],[30,36],{"url":31,"title":32,"date":33,"friendly_name":34,"website":35},"https://www.hipaajournal.com/data-breach-at-rocky-mountain-associated-physicians-affects-50000-patients/","Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients","2026-04-14","HIPAA Journal","hipaajournal.com",{"url":37,"title":38,"date":33,"friendly_name":39,"website":40},"https://healthitsecurity.com/news/pear-ransomware-group-leaks-utah-clinic-phi-after-failed-extortion-attempt","PEAR Ransomware Group Leaks Utah Clinic PHI After Failed Extortion Attempt","HealthITSecurity","healthitsecurity.com",[42],{"datetime":43,"summary":44},"2026-02-02T00:00:00Z","RMAP's forensic investigation into the breach concludes.",[46,50,54,58],{"id":47,"name":48,"tactic":49},"T1486","Data Encrypted for Impact","Impact",{"id":51,"name":52,"tactic":53},"T1041","Exfiltration Over C2 Channel","Exfiltration",{"id":55,"name":56,"tactic":57},"T1213","Data from Information Repositories","Collection",{"id":59,"name":60,"tactic":61},"T1190","Exploit Public-Facing Application","Initial Access",[63,68,72,76],{"id":64,"name":65,"description":66,"domain":67},"M1030","Network Segmentation","Isolate critical patient databases in a highly restricted network segment to prevent access from compromised parts of the network.","enterprise",{"id":69,"name":70,"description":71,"domain":67},"M1041","Encrypt Sensitive Information","Encrypt Protected Health Information (PHI) and other sensitive data at rest to protect it in case of a breach.",{"id":73,"name":74,"description":75,"domain":67},"M1047","Audit","Implement robust logging and monitoring of access to sensitive databases to detect and alert on anomalous activity.",{"id":77,"name":78,"description":79,"domain":67},"M1051","Update Software","Keep all systems, especially internet-facing ones, patched and up-to-date to prevent initial compromise.",[81,86],{"technique_id":82,"technique_name":83,"url":84,"recommendation":85,"mitre_mitigation_id":64},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","The RMAP breach underscores the absolute necessity of Network Isolation for servers containing highly sensitive data like a patient database. This server should have been placed in a 'crown jewels' network segment, completely isolated from the general corporate network and the internet. Access to this segment should be controlled by a firewall with a default-deny policy. Only a specific, allow-listed application server should be permitted to communicate with the database server, and only on the required database port (e.g., TCP/1433 for SQL Server). No other traffic—RDP, SMB, HTTPS—should be allowed into or out of this segment. This strict isolation means that even if an attacker compromises a workstation on the front desk, they cannot directly access or even scan for the patient database, containing the breach and preventing data exfiltration.",{"technique_id":87,"technique_name":88,"url":89,"recommendation":90,"mitre_mitigation_id":69},"D3-FE","File Encryption","https://d3fend.mitre.org/technique/d3f:FileEncryption","While network controls are crucial, a defense-in-depth strategy requires data-centric protection. For the RMAP case, robust encryption of the data at rest is essential. This goes beyond simple disk encryption. The database itself should have been configured with Transparent Data Encryption (TDE) to encrypt the database files on disk. More importantly, specific columns containing the most sensitive data—Social Security numbers and financial information—should have been encrypted at the application level or using column-level database encryption. This means that even if an attacker managed to exfiltrate the database files, the most sensitive data would be unreadable without access to the separate encryption keys. The fact that PINs were stored in a recoverable format is a catastrophic failure; this data should never be stored at all, but if any sensitive data must be stored, it must be encrypted with strong, well-managed keys.",[],[93,99,104],{"type":94,"value":95,"description":96,"context":97,"confidence":98},"file_name","*.zip, *.rar, *.7z","Attackers often compress stolen data into large archive files before exfiltration. Monitor for the creation of large archives on servers that don't normally perform this function.","File Integrity Monitoring (FIM), EDR","high",{"type":100,"value":101,"description":102,"context":103,"confidence":98},"network_traffic_pattern","Large, sustained outbound transfer from database server","A database server sending hundreds of megabytes or gigabytes of data to an external IP address is a massive red flag for data exfiltration.","Netflow analysis, Firewall logs, IDS/IPS",{"type":105,"value":106,"description":107,"context":108,"confidence":109},"log_source","Database transaction logs","Monitor for an unusually high volume of read operations (SELECT statements) from a single account, which could indicate an attacker is dumping tables.","Database Activity Monitoring (DAM), SIEM","medium",[13,14,111,112,25,113,114,115],"PEAR","Healthcare","PII","PHI","Extortion","2026-04-14T15:00:00.000Z","NewsArticle",{"geographic_scope":119,"countries_affected":120,"industries_affected":122,"people_affected_estimate":123},"local",[121],"United States",[112],"50,640",8,1776260656777]