Wayne Memorial Hospital in Jesup, Georgia, experienced a data breach on May 30, 2024, but notified affected consumers on August 27, 2025, according to a filing with the Maine Attorney General’s office. 163,440 individuals were affected by this breach. Reporting from Comparitech states that only 2,500 individuals were notified of the breach in August 2024. 

Rebecca Moody, Head of Data Research at Comparitech, comments, “This is another worrying case where there has been a significant delay in notifying the majority of people involved in a data breach. Despite having initially notified 2,500 people of a breach in August 2024, it’s taken another year to confirm that over 163,000 people may have been impacted. Furthermore, even though Wayne Memorial Hospital added a data breach alert to its website in August 2024, according to Wayback Machine internet archive data, this had been removed by January 2025. So, unless patients were one of the first 2,500 people to receive a data breach notification letter or happened to view the alert on the hospital’s website from August to December 2024, it’s highly likely they were completely unaware of this breach until now.” 

Information compromised includes: 

• Social Security numbers
• Names
• Birth dates
• State-issued ID numbers (such as a driver’s license)
• User IDs and passwords
• Financial account numbers, credit and debit card numbers, expiration dates, and CVV codes
• Medical history, diagnoses, and treatments/prescriptions
• Lab results and images
• Healthcare provider numbers
• Health insurance, Medicare and Medicaid numbers

Erich Kron, Security Awareness Advocate at KnowBe4, adds, “A delay of over a year to notify people who have had their information stolen is unfortunate. Every day the information is in the hands of bad actors puts the victims at risk of not only identity theft, but also of scams and other social engineering tactics.

“Information such as procedures, dates and insurance information, all stolen along with other data, allow bad actors to contrive stories that can be used to scam victims again, such as convincing the victim that they have outstanding debts related to the procedure, or similar ruses. Having a lot of detailed information can allow attackers to create detailed stories, and unless the victim is aware that the information is available to bad actors, can easily convince the victims of the validity of the scam.

“Organizations that handle sensitive data need to ensure they are making every effort to secure it. Since human error is the top way that ransomware and other malware infect organizations, especially through email phishing, these organizations need to have a well-designed human risk management (HRM) program in place.”

According to the cybersecurity incident notice sent out by the institution, the hospital discovered the ransomware incident after some data was encrypted an a ransom note was left on the network. The ransomware group Monti has claimed responsibility for the attack, although at this time, the hospital has not confirmed the validity of this claim. 

Moody remarks, “While Wayne Memorial Hospital hasn’t confirmed whether or not a ransom was paid, the fact that the hospital was posted on Monti’s website suggests it wasn’t (for the data theft, at least). This means patients’ highly sensitive data has been posted on the dark web since the end of June 2024, leaving them exposed to identity theft and fraud.”