Fraud Management & Cybercrime , Healthcare , Industry Specific
Neuro Practice Tells 363,000 That PHI Was Posted on Dark WebRansomware Incident Knocked Out Computer Network, Email and Phones
An Indiana neurology practice is notifying nearly 363,000 individuals that their sensitive information was compromised in a recent ransomware attack - and that some of their data was posted on the dark web.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The practice does not identify the ransomware group or data leak site, but Russian ransomware group Hive - which was the subject of a recent federal advisory to the healthcare sector - is implicated in the attack. Hive has been aggressively targeting the U.S. healthcare sector.
Nerve and gray matter specialists Goodman Campbell Brain and Spine, in a data breach report to Maine's attorney general on July 19, says a "sophisticated" ransomware attack, which affected its computer network and communications system - including email and phones - resulted in a compromise to patient and employee information.
The practice says that after discovering the attack on May 20, it immediately took steps to secure its systems and engaged a forensic analysis and incident response firm. Goodman Campbell says it also notified the FBI.
An investigation into the incident subsequently determined that an unauthorized third party had acquired information from the practice's systems, the organization says.
"Notably, the attacker did not access our electronic medical record system, but was able to access patient information and records in other locations on our internal network, such as appointment schedules, referral forms, and insurance eligibility documentation," Goodman Campbell says.
Information affected in the incident included names, date of birth, address, telephone number, email addresses, medical record number, patient account number, diagnosis and treatment information, physician name, insurance information, dates of service, and Social Security numbers, the practice says.
"While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the dark web," the practice's notification letter says.
The breach notification letter follows an earlier disclosure by Goodman Campbell about some of its data affected by the attack showing up on a leak site.
In a statement posted on its website on June 17 about the incident, Goodman Campbell disclosed that "a number of files" containing sensitive patient and business information obtained by the cybercriminals during the cyberattack had been posted on the dark web.
The practice's disclosures do not identify the dark web site or ransomware group behind the attack.
Cybercriminal group Hive in June posted on its leak site samples of data allegedly obtained in the Goodman Campbell hack, according to Databreaches.net.
A source who asked for anonymity in order to be candid tells Information Security Media Group that as of Thursday, some Goodman Campbell patient information allegedly stolen in the attack was still posted on the Hive leak site. The medical practice asserts its data was available on the dark web for only about 10 days.
A healthcare entity informing individuals in a breach notification letter or statement that their information has been potentially listed on the dark web is a highly uncommon level of transparency, some experts say.
"Disclosure statements are typically woolly and it's certainly unusual for a healthcare entity - in fact, for any organization - to specifically state that data was posted on the dark web," says Brett Callow, a threat analyst at security firm Emsisoft.
"That said, it's something I believe should be a requirement. People have the right - or, at least, should have the right - to know exactly what happened to their medical information and other personal information."
Goodman Campbell says it is offering affected individuals 12 months of complimentary identity and credit monitoring. Also, in the wake of the incident, the practice says it is implementing new monitoring solutions to protect against future cyberattacks.
An attorney representing Goodman Campbell in the organization's breach situation did not immediately respond to ISMG's request for additional information about the incident.