A Pennsylvania HIM services provider hit with ransomware; threat actors claim they will leak source code

Hive threat actors have allegedly hit Diskriter, a Pennsylvania-headquartered firm that provides health information management services, revenue cycle management solutions, transcription services, and staffing. Diskriter’s clients include a number of state and municipal governments as well as medical facilities.

Diskriter’s Twitter header.

Hive’s spokesperson claims that the ransomware group was able to exfiltrate more than 160 GB of files that include contracts and other business documents, financial records from the firm, personal and financial information about the company’s executives, personnel information on employees, and files concerning software source code.

Inspection of a sample of 39 files provided exclusively to this site revealed copies of checks and invoice statements for some current clients of the firm. There were also a number of files from September, 2016 that include what appears to be protected health information of named patients seen by a West Virginia occupational medicine physician for disability-related reasons. There were dozens of named patients with their SSN in the files.

In addition to the protected health information concerns, there was also a file in the sample called “login” that contained numerous sets of login credentials for various individuals and services. All of the credentials were in plain text, and there was a dishearteningly  large amount of re-use of usernames and passwords. That file also contained notes on other aspects of the business’s operations.

DataBreaches emailed Diskriter on June 20 to ask them about the claimed attack. In that email, DataBreaches also informed them that this site was provided with some login information, which for ethical and legal reasons, DataBreaches did not attempt to test or verify.

“But if your firm uses “[redacted]” as a username for any services or accounts, you should probably change all your logins and passwords,” DataBreaches added. The username included in the email was a distinct username that this site would have been unlikely to guess or randomly make up.

Diskriter did not respond to that email, nor to a second request sent on June 21.

As of the time of this publication, there is nothing listed on Hive’s dark web leak site that indicates that they have attacked Diskriter, but Hive also provided DataBreaches with a file tree that shows a very large number of staff/employee resumes on diskriter’s system, as well as information on Diskriter’s clients and fiscal year records.

Because Diskriter appears to be a business associate under HIPAA to a number of covered entities whose names can be ascertained from the filetree, it looks like Diskriter may have a number of notifications to make. According to Hive’s spokesperson, they encrypted Diskriter on June 8, and they also encrypted their backups. When DataBreaches asked how hard it was to gain a foothold or access, Hive’s spokesperson responded, “Simple. Very poor network strength.”

Hive reportedly contacted Diskriter that same day with a ransom demand, but according to Hive, negotiations stopped after Hive’s routine “introduce yourself” message that asks whoever enters their negotiation chat to introduce themselves by their name and position in the company.  “We negotiate only with a representative who has the authority to make decisions. They stopped negotiations,” Hive told DataBreaches.

Although Diskriter was allegedly encrypted on June 8, there is nothing on their website, their Twitter account, their Facebook page, or their LinkedIn account to indicate it.  Has their functioning or client services been impacted? DataBreaches does not know because Diskriter has not responded to inquiries.

“They have a high limit cyber insurance but they decided to ignore us and they think that we have nothing. But we will bring to public the source code of their product !!!” the spokesperson for Hive writes.

This post will be updated if more information becomes available.

Updated June 28: Hive has now added Diskriter to their leak site and has leaked their data. The leak includes the files previously seen by DataBreaches and described above, but there are other files as well.

As of this morning, there is still no notice or statement on Diskriter’s website or their Twitter or Facebook accounts. Nor did they ever respond to this site’s inquiries.

About the author: Dissent

Comments are closed.