Two more healthcare providers have suffered ransomware attacks in which sensitive information was exfiltrated and leaked online when the ransom was not paid.
The Conti ransomware gang has published data on its leak site which was allegedly obtained in an attack on Rehoboth McKinley Christian Health Care Services in New Mexico. The leaked data includes sensitive patient information including scanned patient ID cards, passports, driver’s license numbers, diagnoses, treatment information, and diagnostic reports.
It is unclear how many patients have had their PHI exposed so far. The Conti ransomware gang claims it has only published around 2% of the data stolen in the attack.
The latest data leak by the Conti ransomware gang follows similar leaks of the data stolen in the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas.
The Avaddon ransomware gang has similarly published data on its leak site that was stolen in an attack on Capital Medical Center in Olympia in Washington. The gang has threatened to leak further data within the next few days if the ransom is not paid. The leaked data includes driver’s license numbers, patient documents, diagnosis and treatment information, insurance information, lab test results, prescriptions, provider names, and patient contact information.
According to Emsisoft, there are currently at least 17 ransomware gangs engaging in data exfiltration prior to file encryption, all of which threaten to release or sell the stolen data if the ransom is not paid. The latest Coveware ransomware report suggests data exfiltration occurs in around 70% of ransomware attacks. These double extortion attacks often see the ransom paid to prevent the release of stolen data, but there are signs that this tactic is becoming less effective due to a lack of trust that the threat groups will delete stolen data if the ransom is paid.
There have been several cases where payment has been made, only for further extortion demands to be made or for stolen data to still be published on leak sites.
Hacker Potentially Obtained Patient Data from Sutter Buttes Imaging Medical Group
Sutter Buttes Imaging Medical Group (SBIMG) in Yuba City, CA has discovered an unauthorized individual has gained access to third -party IT hardware used at its Yuba City imaging center and potentially viewed and obtained limited patient data.
In December 2020, SBIMG learned that a hacker exploited an unpatched vulnerability in IT hardware that was used to store and transmit information in connection with medical services provided to patients. Action was immediately taken to expel the hacker from its systems and secure patient data. An investigation into the incident revealed the hacker first gained access to the IT hardware in July 2019, and access remained possible until December 2020.
An investigation into the security breach showed the attacker had access to limited patient information such as names, dates of birth, imaging procedure performed, study date, study name, and internal patient/study numbers. No financial information, insurance information, or Social Security numbers were compromised.
SBIMG has corrected the vulnerability and other steps have been taken to improve security to prevent similar breaches in the future, including closing certain firewall ports. Third-party security experts have been engaged to assess system security and additional security controls are now being implemented.
All patients have been notified by mail and the breach has been reported to the HHS’ Office for Civil Rights. The incident has yet to appear on the HHS breach portal, so it is currently unclear exactly how many individuals have been affected.