Mid-South Pulmonary & Sleep Specialists Data Breach Exposes Patient and Clinical Information

The Mid-South Pulmonary & Sleep Specialists data breach is an alleged ransomware attack conducted by the Anubis ransomware group targeting Mid-South Pulmonary & Sleep Specialists P.C., a medical practice headquartered in Memphis, Tennessee. According to information posted by the threat group on its dark web leak portal on November 28, 2025, the attackers claim to have exfiltrated confidential patient information, medical files, and internal clinical documentation. The group announced that it plans to publish the stolen data within 24 hours if ransom demands are not met.

Mid-South Pulmonary & Sleep Specialists is a medical practice specializing in pulmonary medicine, critical care, and sleep disorder treatment. The organization operates multiple clinics across Tennessee and provides services such as sleep testing, respiratory therapy, and pulmonary diagnostics. The clinic’s infrastructure relies heavily on digital systems for electronic health records (EHR), diagnostic imaging, and scheduling. This makes healthcare organizations like Mid-South Pulmonary & Sleep Specialists frequent targets for ransomware attacks seeking to exploit the sensitive and regulated data stored within their systems. The incident adds to a series of escalating cybersecurity threats affecting small and mid-sized medical practices across the United States.

Background on the Anubis Ransomware Group

The Anubis ransomware group, first identified in mid-2024, is known for targeting healthcare and financial institutions. The group operates under a double extortion model, exfiltrating sensitive information before encrypting network systems. Anubis claims to maintain secure communication channels with victims through encrypted Tor portals and often threatens to release stolen data publicly to maximize pressure during negotiations. Its previous attacks have affected clinics, insurance providers, and municipal governments, resulting in significant data exposure and operational disruptions.

The group’s choice of targets reflects a growing trend in healthcare ransomware campaigns, where attackers leverage the urgency of patient care to expedite ransom payments. In recent incidents involving similar groups, data leaks have included detailed patient charts, diagnostic test results, and prescription histories—files that are both confidential and regulated under federal law. The Mid-South Pulmonary & Sleep Specialists data breach aligns with these tactics, suggesting that Anubis gained access to internal file servers or cloud-based health record systems.

Scope and Nature of the Breach

While official confirmation from Mid-South Pulmonary & Sleep Specialists has not yet been released, the Anubis ransomware group claims to possess confidential patient data and internal records. Based on early information shared through dark web postings, the stolen material likely includes:

• Patient identification data, including names, birthdates, addresses, and contact numbers
• Medical and sleep study reports, pulmonary test results, and diagnostic imagery
• Clinical progress notes and physician correspondence
• Insurance details, billing records, and payment information
• Employee HR files, payroll information, and credentialing documents
• Internal administrative and scheduling system data

Healthcare ransomware incidents involving similar-sized clinics have previously exposed between 50GB and 500GB of data, depending on the size of their EHR and imaging systems. If this pattern holds, the Mid-South Pulmonary & Sleep Specialists data breach could represent a substantial compromise affecting both patients and staff. The fact that Anubis announced a one-day countdown before publication suggests that negotiations or containment efforts may already be in progress.

Regulatory and Legal Obligations Under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered healthcare entities implement safeguards to protect patient data and promptly report breaches affecting protected health information (PHI). If the Mid-South Pulmonary & Sleep Specialists data breach is verified, the organization will be required to notify affected individuals, the Department of Health and Human Services (HHS), and potentially state regulators. Depending on the scope, the Office for Civil Rights (OCR) may initiate an investigation into the clinic’s compliance with HIPAA’s Privacy and Security Rules.

Noncompliance with HIPAA can result in financial penalties ranging from tens of thousands to millions of dollars, depending on the level of negligence. In addition, state-specific data privacy laws in Tennessee require notification to affected residents and the Attorney General’s office if personally identifiable information is compromised. Healthcare organizations that fail to disclose breaches promptly risk facing both regulatory fines and civil litigation from affected patients.

Potential Impact on Patients and Operations

The exposure of patient data from the Mid-South Pulmonary & Sleep Specialists data breach could have long-term consequences. Medical records often include detailed health information, prescription data, and insurance details that can be exploited for identity theft, medical fraud, and phishing scams. Attackers can use this data to file false insurance claims, obtain prescription drugs, or impersonate patients during healthcare transactions.

For the clinic itself, ransomware attacks can severely disrupt operations. If clinical systems, diagnostic equipment, or scheduling software were encrypted, patients could experience appointment delays, missed test results, or interruptions in treatment. In prior ransomware cases affecting similar healthcare facilities, organizations were forced to revert to paper documentation for days or weeks while systems were restored, creating significant administrative and clinical strain.

Technical Overview and Attack Chain Analysis

Anubis typically gains initial access to a target network through phishing emails, credential theft, or exploitation of unpatched vulnerabilities in remote access systems. Once inside, the group conducts reconnaissance to identify high-value servers and databases. Tools commonly used by Anubis include Advanced Port Scanner, PsExec for remote code execution, and Mimikatz for credential extraction. After data collection, the attackers use Rclone or similar utilities to exfiltrate files to remote servers before launching the encryption payload.

Given the healthcare context, the initial breach vector at Mid-South Pulmonary & Sleep Specialists may have involved exposed VPN credentials or misconfigured remote desktop services. Healthcare providers frequently rely on third-party IT vendors and legacy systems that lack modern security controls. Once the attackers achieved persistence, they likely targeted systems hosting electronic health records, billing platforms, and internal communications. The subsequent encryption phase would have rendered systems inaccessible, leaving the organization dependent on backup recovery efforts.

Immediate Response and Containment Recommendations

To address the Mid-South Pulmonary & Sleep Specialists data breach, technical teams and healthcare IT administrators should implement containment and investigation procedures immediately. Recommended actions include:

• Disconnect compromised systems from the network to prevent further data exfiltration
• Preserve forensic evidence including network logs, memory captures, and disk images
• Identify all accounts with administrative privileges and perform credential resets
• Inspect VPN, RDP, and cloud service logs for unusual access activity
• Verify backup integrity before initiating restoration of encrypted systems
• Engage external incident response specialists with healthcare cybersecurity experience

It is critical that organizations document all actions taken during incident response for future regulatory and legal review. If ransom negotiations occur, communication should be managed by experienced third-party negotiators who understand both the ethical and legal implications of ransom payment under U.S. law.

Mitigation and Long-Term Defense Strategies

Healthcare organizations can significantly reduce the risk of similar ransomware incidents by adopting a layered defense strategy that combines technology, policy, and training. Key measures include:

• Implement multifactor authentication for all remote access and privileged accounts
• Segment clinical systems from administrative networks to contain potential breaches
• Deploy intrusion detection and endpoint monitoring solutions with real-time alerting
• Conduct quarterly vulnerability assessments and apply all critical software patches
• Maintain offline, encrypted backups of patient and operational data
• Establish clear incident response playbooks and regularly test them through simulations
• Train staff to recognize phishing and social engineering attempts commonly used in ransomware campaigns

Implementing a zero-trust framework can further enhance security by verifying all user activity and enforcing strict access controls based on context and device security posture. Smaller clinics that lack dedicated IT teams should consider contracting managed security service providers (MSSPs) to monitor systems continuously and provide rapid detection and response capabilities.

Guidance for Affected Patients and Employees

Patients potentially impacted by the Mid-South Pulmonary & Sleep Specialists data breach should remain vigilant for suspicious activity involving their personal or insurance information. Recommended actions include:

• Monitor health insurance statements for unauthorized claims or billing discrepancies
• Review credit reports and consider placing a temporary credit freeze with major bureaus
• Change passwords associated with healthcare portals and patient access systems
• Be cautious of phishing emails referencing Mid-South Pulmonary or sleep study results
• Scan personal devices with reputable tools such as Malwarebytes to detect malware infections

Employees should verify whether payroll or HR data was compromised and monitor for potential misuse. Those who receive suspicious communications or notices of fraudulent activity should immediately report them to relevant financial institutions and healthcare providers. In the event of confirmed identity theft, victims should file reports with the Federal Trade Commission (FTC) and retain copies of all correspondence related to the breach.

Broader Implications for the Healthcare Sector

The Mid-South Pulmonary & Sleep Specialists data breach exemplifies the increasing vulnerability of small and medium-sized healthcare organizations to ransomware threats. As larger hospital networks have invested heavily in cybersecurity infrastructure, smaller medical practices have become easier targets due to limited budgets, outdated software, and constrained IT resources. Attackers exploit these weaknesses, knowing that even minor disruptions can have severe consequences for patient care and compliance.

Healthcare institutions across the United States continue to face growing pressure to modernize infrastructure and comply with evolving security frameworks such as the NIST Cybersecurity Framework and HHS 405(d) Health Industry Cybersecurity Practices. The ongoing wave of healthcare ransomware incidents underscores the urgent need for proactive cybersecurity investment, staff education, and industry-wide collaboration to safeguard patient trust and data integrity.