Patient Files Dumped on Darknet Site After Hacking IncidentsData Appears to Come From 2 Healthcare Organizations in Florida, Texas
The Conti cybercrime gang, known for ransomware attacks, has reportedly leaked sensitive patient data, as well as employee records, on a darknet site following recent hacker attacks on a two healthcare organizations in Florida and Texas.
See Also: Cyber Incident Response Guide
NBC News reports that the files posted to a blog on the dark web come from Miami-based Leon Medical Centers and Nocona, Texas-based Nocona General Hospital.
A source who has seen the data dumps on a Conti website tells Information Security Media Group that records of tens of thousands of individuals from the two entities appear to be among the leaked information.
The data dump includes patient records, such as scans of diagnostic tests and insurance letters, as well as some employee records, including background-check reports, NBC News reports.
Leon Medical Centers Breach
Leon Medical Centers on Jan. 8 reported to federal regulators a hacking incident affecting 500 individuals, according to an entry on the Department of Health and Human Services' HIPAA Breach Reporting Tool website.
In its Jan. 8 breach notification statement, Leon Medical Centers noted it was still in the process of identifying impacted individuals and preparing direct written notification letters regarding the incident to them as soon as possible.
The Miami-based organization said that on Nov. 8, 2020, it learned that it was the target of a cybercriminal attack and that portions of its computer network were infected with malware. The statement did not specify if the incident involved ransomware.
"We immediately took systems offline and, with the help of cybersecurity professionals, launched an investigation into the nature and scope of the incident. On Nov. 9, 2020, we received confirmation that certain files stored within Leon Medical’s environment that contain personal information had been accessed by the cybercriminals."
Leon Medical Centers said compromised information varied for each patient affected, but included: name, contact information, Social Security number, financial information, date of birth, family information, medical record number, Medicaid number, prescription information, medical and/or clinical information including diagnosis and treatment history and health insurance information.
In a statement provided to ISMG, Leon Medical Centers says patient services were not affected by the security incident.
"We are working diligently with third-party forensic experts to identify individuals affected by the matter," the statement says. "As soon as possible, we will provide direct notifications to any affected individuals, in accordance with relevant state and federal regulations. As our investigation continues, we are unable to provide additional information at this time."
Nocona General Hospital Incident
As of Wednesday, Nocona General Hospital apparently had not issued a breach notification statement. Also, no report of a data breach filed by the entity was posted on the HHS OCR HIPAA breach reporting website.
NBC reports that an attorney representing Nocona told the news organization that the healthcare entity did not appear to have been a victim of ransomware and no systems appeared to have been encrypted.
The attorney also told NBC that although he could not say with "absolute certainty" that Nocona did not receive a ransom demand, the organization "did not open one."
Nocona General Hospital did not immediately respond to ISMG's request for comment.
Brett Callow, a security threat analyst at vendor Emsisoft, says that in several recent incidents, cybercriminal groups have stolen data without deploying ransomware. "In one of those cases, the group claimed it elected not to deploy the ransomware because the company provided critical services," he says.
But that’s unlikely to be the situation in the Leon Medical Centers and Nocona General Hospital incidents, he notes.
"The operators of Conti are not choosy when it comes to victims: Governments, healthcare providers and charities are all fair game," he says.
"It’s also possible that the attack was detected and blocked after data had already been exfiltrated. This is also something that has happened in past incidents and, in such cases, a ransom note may or may not be dropped."
With Nocona General Hospital claiming there was no ransom demand, it's possible that the cybercriminals were demonstrating "that they can - and did - access important data," says former healthcare CIO Drex DeFord, strategic healthcare executive for security vendor CI Security.
"While [the hackers] put some data on the darknet, who’s to say they haven’t held some back, and may still make a ransom demand?" he asks. "It’s even possible the hackers could go directly to the patients to make ransom demands."
Retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP, notes that it's common for ransomware victims to overlook ransom demands from attackers.
"When I was with the FBI, I worked cases where the ransomware victim did not actually find the ransom note due to automated tools that may have destroyed it as they worked to restore their network," he says. "Therefore, I never assume there was or was not a note."
Most ransomware groups, however, "do leave notes to set up lines of communication over possible payment of ransom," he says. "If there was no note left, then this may be more of a more nefarious type of disruptionware attack over a straight ransomware attack."
Large Targets, Big Pressures
The coronavirus pandemic has disrupted virtually all industries, but none more than healthcare, DeFord notes. "The pressure to modify existing operations and to create exceptions to sound security practices in support of a rapidly changing healthcare delivery mission has created new attack vectors for cybercriminals," he says.
Attracting and retaining security talent is challenging for many healthcare organizations, and security teams are often "out-gunned" by hackers, he notes.
"It’s not unusual to have hundreds of applications, spread over a complicated network that’s evolved over time," DeFord says. "That lack of simplification, coupled with the reality that most of healthcare applications are mission-critical 24/7, means they’re harder to protect. Many apps are older legacy systems, which means it’s tough to take them off-line for upgrades and security patching."