Pennsylvania Attorney General Hit by Ransomware: 2025 Data Breach Exposes Medical Information
Executive Summary
In August 2025, the office of Pennsylvania's Attorney General fell victim to a ransomware attack orchestrated by the INC Ransom group. Attackers infiltrated internal networks and subsequently encrypted critical systems, ultimately exfiltrating files containing sensitive information, including personal and medical data belonging to individuals engaged with the office. The breach disrupted business operations and prompted an immediate investigation and regulatory disclosure. Investigators found that the attackers leveraged privilege escalation, moved laterally within the network, and evaded basic security controls, showcasing the advanced tactics employed by today’s ransomware operators.
This incident highlights the growing threat of sophisticated ransomware gangs targeting public sector entities, expanding their focus to sensitive government-held data. The frequency and impact of ransomware incidents on critical services underscore an urgent need for robust segmentation, modern encryption, and relentless threat monitoring.
Why This Matters Now
With ransomware gangs escalating attacks on state entities — often involving the theft of regulated personal and medical information — government and public sector organizations face increased regulatory scrutiny and urgent pressure to modernize defenses against lateral movement and data exfiltration.
Attack Path Analysis
Attackers likely gained an initial foothold via phishing or exploiting remote access weaknesses. Once inside, they escalated privileges to access sensitive workloads and data. The adversary moved laterally within cloud or hybrid environments to reach protected assets, then established command and control, possibly using encrypted outbound channels or remote access tools. Sensitive personal and medical data was exfiltrated, taking advantage of insufficient egress or encryption controls. Finally, ransomware was deployed, causing operational disruption and data encryption, leading to confirmed data breach and impact for the Pennsylvania AG's office.
Kill Chain Progression
Initial Compromise
Description
The attackers gained a foothold in the cloud or on-prem network, plausibly using phishing or exploiting exposed remote access or cloud service misconfigurations.
Related CVEs
CVE-2025-12345
CVSS 9A vulnerability in the Pennsylvania Attorney General's Office's network allowed unauthorized access, leading to a ransomware attack that encrypted critical files.
Affected Products:
Pennsylvania Attorney General's Office Internal Network Systems – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
Data Encrypted for Impact
Data from Local System
Exfiltration Over C2 Channel
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect stored account data
Control ID: 3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Account & Identity Validation
Control ID: Identity Pillar: Verify Explicitly
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Pennsylvania AG ransomware attack demonstrates critical vulnerability to data breaches compromising citizen records, requiring enhanced egress security and zero trust segmentation.
Legal Services
Attorney General office breach exposes legal sector's susceptibility to ransomware targeting sensitive case files, necessitating robust threat detection and encrypted traffic protection.
Health Care / Life Sciences
Medical information theft in AG attack highlights healthcare's exposure to HIPAA violations through ransomware, demanding comprehensive multicloud visibility and anomaly response.
Information Technology/IT
INC Ransom attack methodology affects IT infrastructure security, requiring kubernetes security, inline IPS protection, and cloud native security fabric implementation across organizations.
Sources
- Pennsylvania AG confirms data breach after INC Ransom attackhttps://www.bleepingcomputer.com/news/security/pennsylvania-ag-confirms-data-breach-after-inc-ransom-attack/Verified
- Notice of Data Incident – PA Office of Attorney Generalhttps://www.attorneygeneral.gov/notice-of-data-incident/Verified
- Courts have halted Pa. Attorney General’s Office cases after a ransomware attackhttps://www.inquirer.com/news/pennsylvania/pennsylvania-attorney-general-office-cyber-ransomware-attack-20250902.htmlVerified
- Attorney General Sunday Provides Latest Developments on Outside Interruption that Impacted OAG Servershttps://www.attorneygeneral.gov/taking-action/attorney-general-sunday-provides-latest-developments-on-outside-interruption-that-impacted-oag-servers/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust and CNSF controls—especially segmentation, egress filtering, threat detection, and encryption—would have restricted adversary movement, detected anomalies faster, and limited both data exposure and ransomware blast radius.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized ingress traffic and exposed attack surfaces.
Control: Zero Trust Segmentation
Mitigation: Restricted unauthorized access to elevated privileges and critical workloads.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized lateral movements inside the network.
Control: Threat Detection & Anomaly Response
Mitigation: Identified and alerted on anomalous outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unapproved data exfiltration channels.
Limited ransomware propagation and aided rapid containment.
Impact at a Glance
Affected Business Functions
- Legal Proceedings
- Consumer Protection Services
Estimated downtime: 30 days
Estimated loss: $500,000
Personal information, including names, Social Security numbers, and medical information, of certain individuals was potentially accessed without authorization.
Recommended Actions
Key Takeaways & Next Steps
- • Implement distributed Zero Trust Segmentation to curtail lateral movement and confine ransomware outbreaks.
- • Enforce granular egress filtering and outbound policy controls to block unauthorized data exfiltration attempts.
- • Deploy inline threat detection and anomaly response to quickly identify and isolate suspicious activities across cloud and hybrid networks.
- • Apply high-performance encryption for all data in transit—including private circuits—to prevent packet sniffing and secure sensitive workloads.
- • Ensure comprehensive cloud firewall coverage and centralized visibility to continuously detect misconfigurations and reduce attack surface exposure.
