Two healthcare companies have encountered ransomware attacks wherein sensitive information was exfiltrated and exposed on the web as the victims didn’t pay the ransom demand.
The Conti ransomware group has publicized information on its leak website which was apparently acquired in an attack on Rehoboth McKinley Christian Health Care Services based in New Mexico. The exposed details include sensitive patient details such as patient ID cards, diagnoses, treatment data, diagnostic data, passports, and driver’s license numbers.
It is uncertain how many people have had their PHI compromised thus far. The Conti ransomware gang says it has merely posted about 2% of the stolen data.
The most recent data leak by the Conti ransomware group comes after the same exposures of the information taken during the ransomware attacks on Nocona General Hospital In Texas And Leon Medical Centers In Florida.
The Avaddon ransomware gang has also exposed data on its leak webpage that was taken during a ransomware attack on Capital Medical Center in Olympia, Washington. The group has made threats to leak more information in the following couple of days in case the ransom is not paid. The exposed data consists of driver’s license numbers, patient records, diagnosis and treatment details, insurance data, laboratory test data, prescription medications, provider names, and patient contact details.
As per Emsisoft, there are at the moment no less than 17 ransomware gangs carrying out data exfiltration before file encryption, all of them state they will expose or market the stolen information when the ransom isn’t paid. The current Coveware ransomware report implies data exfiltration takes place in approximately 70% of attacks. These dual extortion attacks usually receive the ransom payment to stop the exposure of stolen information, yet there are indications that this strategy is turning out to be less successful as a result of a lack of confidence that the threat groups will discard stolen data when the ransom is paid.
There were a number of scenarios where even though payment was given, the threat actors made even more extortion demands or still posted the stolen files on leak web pages.
Hacker Most likely Acquired Patient Records from Sutter Buttes Imaging Medical Group
Sutter Buttes Imaging Medical Group (SBIMG) located in Yuba City, CA has learned that an unauthorized person has acquired access to third-party IT hardware utilized at its Yuba City imaging center and likely viewed and gotten limited patient information.
In December 2020, SBIMG found out that a hacker took advantage of an unpatched flaw in IT hardware that was employed to hold and send information related to medical services made available to patients. The action was promptly taken to block the attacker from its systems and safeguard patient information. A breach investigation showed that the hacker initially obtained access to the IT systems in July 2019, and had continued access up to December 2020.
A security breach investigation confirmed the attacker acquired access to limited patient data for instance names, dates of birth, imaging procedures done, study name, internal patient/study numbers, and study date. There were no financial details, insurance data, or Social Security numbers exposed.
SBIMG has remedied the vulnerability and has taken action to boost security to avert the same breaches later on, which include closing selected firewall ports. Third-party security specialists assisted to examine system security and put in place even more security measures.
SBIMG has informed all patients via mail and reported the breach to the HHS’ OCR. The event is not yet published on the HHS breach site, therefore the number of persons impacted is presently not clear.