Exclusive: Cloud Vendor Returns Stolen Hospital DataAlliance Had Sued LockBit Gang to Force Cloud Firm to Release Affected Patient Data
A cloud services firm has turned over to a New York hospital alliance the patient data stolen in an August ransomware attack by the notorious LockBit gang. The hospital group - North Star Health Alliance - had filed a lawsuit against LockBit in November as a legal maneuver to force the storage firm to return the patient data the cybercriminals had exfiltrated from the hospitals and stashed on the Massachusetts vendor's servers.
Wasabi Technologies recently turned over to North Star Health Alliance data that LockBit stole and stored on the Boston-based company's servers, said David Hoffman, general counsel of Claxton-Hepburn Medical Center, one of the three North Star Health Alliance members that was affected by the August attack (see: Hospitals Sue LockBit, Ask Cloud Firm to Return Stolen Data).
Hoffman, in an exclusive interview with Information Security Media Group on Monday, said North Star Health Alliance had sought the return of the patient data from Wasabi to help the healthcare group to assess the information compromised in the incident and to notify affected individuals.
"We filed a lawsuit against John Doe and Jane Doe, fictitious individuals representing the human beings who run the LockBit criminal syndicate, in order to have a vehicle for issuing a judicial subpoena - a legal request to the cloud-based service provider to, in effect, give us back the information that the bad guys - the LockBit criminals - were able to exfiltrate, to actually remove from our IT infrastructure and deposit on the cloud-based storage servers," he said.
The upstate New York-based hospital alliance sought the return of the data by the storage vendor Wasabi "so that we would have a clear and certain understanding of what information left our organization's IT infrastructure. And what of that information then left the cloud-based provider's platform so that it was potentially in the possession of the bad guys."
The three members of North Star Health Alliance - Carthage Area Hospital, Claxton-Hepburn Medical Center and North Country Orthopaedic Group - filed the legal complaint Nov. 29 in St. Lawrence County Court in New York against "John Doe and Jane Doe" - "unknown threat actors" who represented themselves as LockBit.
The lawsuit alleges that the defendants "conspired to carry out the complex cybercrime and movement of stolen assets." The identity of the defendants "is currently unknown, as they have perpetrated the subject scheme in secrecy and utilizing the worldwide web," according to the lawsuit.
The complaint names Wasabi Technologies as the vendor operating storage servers to which LockBit transferred and stored the stolen North Star Health Alliance data. "Upon information and belief, Wasabi has already provided copies of the stolen data to the FBI," the lawsuit complaint alleges. Wasabi agreed to release the data voluntarily, Hoffman said.
"We were able to work with the legal staff of the cloud-based provider in order to get copies of that information back," Hoffman told ISMG. "We are currently in the process of analyzing that information to determine which of our patients were affected and what information left our control so that we can take appropriate steps to protect the privacy interests of our patients," he said.
"This is both a risk management concern, obviously, but it's also an ethical concern from the perspective of our obligation to our communities."
North Star Health Alliance has not yet determined the number of patients affected or the information compromised, said Hoffman, who is also assistant professor of bioethics at the Columbia University School of Professional Studies.
Now that the data stolen by LockBit has been returned by Wasabi, the hospital group will likely drop its lawsuit against the cybercriminals, Hoffman said.
"I have no expectation that LockBit will ever respond to the lawsuit. I'm not sure that they even know that it occurred, and I suspect that they just don't care," he told ISMG.
"Once, we are sure, in working with the cloud-based service provider, that we have everything that we need, the lawsuit will be discontinued. There's no purpose served in keeping it clogging up the court systems calendar unless we learn something that suggests that we might be able to identify one or more individuals."
Wasabi did not immediately respond to ISMG's request for comment.