A confusing data dump from Vice Society

Attacking entities that try to save lives or provide health care seems despicable to most people—and attacking a hospice? That may seem especially vile.

Vice Society recently added two victims to their dedicated leak site: BSA Hospice of the Southwest and Family Medicine Centers/FMC Clinics. Both are Texas entities. But were both actually attacked by Vice Society?

When DataBreaches went to examine their respective leaks, the data was all comingled in one massive dump with more than 272,000 files.

Unable to find any statement on either entity’s website or any press release, DataBreaches reached out to Vice Society to ask why this was one dump and not two separate leaks — whether they obtained the data from two different systems or one.  A spokesperson for Vice replied, “The FMC network contained the credentials and authorizations of BSA Hospice users. I think this is enough to be considered a joint business.”

Well, not really. There are many medical entities or hospitals where external medical offices/practices have access to patient records because the external entity treats patients or needs to access records. That doesn’t make the entities a joint business.  (SEE UPDATE UNDER POST)

FMC has not replied to repeated inquiries despite acknowledging receipt of the questions. There are no reports from either entity on HHS’s public breach tool or the Texas Attorney General’s breach site. DataBreaches has also sent an inquiry to BSA Hospice of the Southwest, but no reply was immediately received.

For now, then, and based on an inspection of the files in the data leak, it appears that Vice hit Family Medicine Centers / FMC Clinics, but it is not clear to DataBreaches that they hit BSA Hospice of the Southwest even though files concerning BSA Hospice patients are in the leak.

One other tidbit about this particular incident for now:  Vice informs DataBreaches that they did not encrypt the systems because they were blocked. As a result, they abandoned efforts to encrypt and just exfiltrated data.

Update: @_bettercyber_ found a link between FMC and BSA Hospice of the Southwest:

So if they are one and the same, then that makes it seem that this wasn’t two separate attacks but one system that got hit.  Great thanks to BetterCyber for spotting what I had not found! And it looks like Vice was right in talking about a “joint business.”

About the author: Dissent

Comments are closed.