Two healthcare organizations have experienced ransomware attacks whereby sensitive information was exfiltrated and disclosed on the internet because the victims did not pay the ransom.
The Conti ransomware gang has posted information on its leak website which was purportedly taken in an attack on Rehoboth McKinley Christian Health Care Services located in New Mexico. The leaked details includes sensitive patient data such as patient ID cards, diagnoses, treatment details, diagnostic data, driver’s license numbers, and passports.
It is uncertain how many individuals have had their PHI exposed to date. The Conti ransomware group states it has just released about 2% of the stolen data.
The current data leak by the Conti ransomware gang follows identical leaks of the information stolen at the time of the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas.
The Avaddon ransomware group has likewise posted data on its leak webpage that was exfiltrated during a ransomware attack on Capital Medical Center in Olympia, Washington. The gang has threatened to leak more information within the following few days when the ransom is not paid. The published data includes driver’s license numbers, patient files, diagnosis and treatment data, insurance details, lab test results, prescribed medicines, names of providers, and patient contact data.
Based on Emsisoft, there is presently a minimum of 17 ransomware gangs doing data exfiltration prior to file encryption, all of which say they will release or sell the stolen information in case the ransom isn’t paid. The most recent Coveware ransomware report indicates data exfiltration happens in approximately 70% of ransomware attacks. These double extortion attacks frequently get the ransom payment to stop the release of stolen information, however, there are signs that this technique is starting to be less effective because of a lack of trust that the threat groups will dispose of stolen data upon ransom payment.
There have been a few instances where despite the fact payment was made, the threat actors made even more extortion demands or still exposed the stolen files on leak websites.
Hacker Possibly Obtained Patient Information from Sutter Buttes Imaging Medical Group
Sutter Buttes Imaging Medical Group (SBIMG) based in Yuba City, CA has found out that an unauthorized individual has acquired access to third-party IT hardware utilized at its Yuba City imaging center and possibly viewed and acquired limited patient records.
In December 2020, SBIMG discovered that a hacker exploited an unpatched vulnerability in IT hardware that was employed to keep and transfer information associated with medical services given to patients. Action was quickly taken to remove the threat actor from its systems and protect patient information. A breach investigation revealed that the hacker first obtained access to the IT systems in July 2019, and accessed it until December 2020.
A security breach investigation revealed the attacker got access to limited patient details like names, birth dates, imaging procedures conducted, study name, study date, and internal patient/study numbers. There were no financial data, insurance details, or Social Security numbers compromised.
SBIMG has fixed the vulnerability and has taken steps to enhance security to avert similar breaches in the future, which include closing particular firewall ports. Third-party security professionals helped to evaluate system security and to implement additional security controls.
SBIMG has notified all patients by mail and reported the breach to the HHS’ Office for Civil Rights. The incident is not yet posted on the HHS breach portal, thus the number of individuals affected is currently not clear.