Medibank Ransomware Attack and Data Breaches at Hutchinson Cancer Center and Plaza Radiology

Russian National Sanctioned for Medibank Ransomware Attack

A Russian national who took part in a ransomware attack on Medibank, an Australian medical insurance company, in 2022 was sanctioned by the U.S., U.K., and Australian governments.

Alexander Ermakov (also known as blade_runner, GustaveDore, JimJones, or GistaveDore), 33 years old, is identified as a member of the already-disbanded ransomware group REvil. This well-known cybercriminal group ceased operations and disappeared in July 2021. Before that, this ransomware-as-a-service group encrypted roughly 175,000 computers and got around $200 million in ransom payments.

In October 2022, REvil acquired access to the network of Medibank and stole the information of around 9.7 million customers after which utilized ransomware for file encryption. The stolen information contained names, Medicare numbers, birth dates, and highly sensitive medical data such as sexual health, mental health, and drug use information.

Russian national Ermakov is not likely to face trial before a court for the Revil attacks because there’s no extradition treaty with the United States, the United Kingdom, or Australia. Ermakov is also not likely to go to any nation where he is at risk of arrest. The U.S. Department of the Treasury criticized Russia for letting ransomware groups to operate inside its borders and openly execute attacks all over the world, and for letting ransomware attacks create and co-opt criminal hackers. The Treasury has required Russia to do something to stop cyber criminals from conducting operations within its area.

The sanctions signify that it is a criminal offense to give assets to Ermakov or to utilize or manage any of his assets, which includes paying ransom via cryptocurrency wallets. Australia first sanctioned Ermakov, then the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and lastly the UK government. OFAC stated Ermakov’s property including interests that are within the U.S. or in the custody or management of U.S. individuals should be blocked and reported to OFAC. Entities that are at least 50% owned directly or indirectly by Ermakov are likewise blocked. Anyone breaching the sanctions can be punished by as much as 10 years’ imprisonment.

Under Secretary of the Treasury, Brian E. Nelson stated that Russian cyber actors still launch disruptive ransomware attacks against the U.S. and allied nations, focusing on companies, including critical infrastructure, to steal sensitive information. The trilateral attack on Australia, the U.S. and the U.K. is a first of such synchronized action, highlighting the need to make these criminals accountable.

Missing Fred Hutchinson Cancer Center Laptop with PHI

Fred Hutchinson Cancer Center has informed 544 patients about the potential exposure of some of their sensitive information. A provider advised Fred Hutch on October 27, 2023 about the loss of their laptop computer while traveling. The laptop was utilized to gain access to Microsoft Outlook software where patient data is stored. The provider stated the laptop has password protection and was already set up to start a remote deletion of the hard drive when it connects online. Fred Hutchinson did a review to determine what types of information were accessed from the laptop and confirmed the exposure of names, addresses, telephone numbers, birth dates, dates of service, medical record numbers, patient account numbers, and some clinical data. The Social Security numbers of a few patients were also exposed.

The cancer center sent notification letters on December 26, 2023, and offered free credit monitoring services to those whose Social Security numbers were exposed. Fred Hutch has given employees supplemental education about protecting mobile devices. This is Fred Hutchinson Cancer Center’s second data breach report in the last couple of weeks. A lot more serious breach happened from November 19 to November 25, 2023, when a cybercriminal group hacked its system and stole patient information. Fred Hutch hasn’t confirmed yet the number of patients that were impacted though the hackers professed to have accessed the information of about 800,000 patients. Because the center did not pay the ransom, the threat actors began contacting the patients directly.

Approximately 569,000 Patients Affected by the Plaza Radiology Data Breach

Plaza Radiology, which is also known as Chattanooga Imaging in several areas in North Georgia and Tennessee, has encountered a cyberattack resulting in a data breach that has impacted around 569,000 patients.

Plaza Radiology discovered the attack on October 21, 2023, but didn’t say any information about the nature of the cyberattack, except for saying that the preliminary outcomes of the forensic investigation established the unauthorized access to a few files on its system that comprised patient data.

The results of the forensic investigation are still under review and, at this time, there were no reports received of actual or attempted patient data misuse. Plaza Radiology submitted the data breach report to the HHS’ Office for Civil Rights on December 20, 2023, and stated it’s going to be sending breach notification letters after identifying those affected by the breach and the types of information exposed.

Plaza Radiology’s legal counsel stated that several steps were undertaken to improve cybersecurity and stop identical breaches later on. Those measures include modifying passwords on accounts, activating multi-factor authentication, changing the desktop computers and network servers, and training employees on enhanced security awareness.

Plaza Radiology will offer free credit monitoring and identity theft protection services to those who had their sensitive data exposed in the attack and urges all patients to be on the alert against identity theft and fraudulent activity involving their information.