Amphastar Pharmaceuticals discovers that threat actors had exfiltrated employee data in May ransomware attack
On July 21, the DoppelPaymer ransomware threat actors added Amphastar Pharmaceuticals to their leak list. They also uploaded a number of files as proof of access and exfiltration. It was because of that listing that Amphastar eventually discovered that employee data had been stolen in a May attack.
On August 27, Amphastar sent notification letters to current and former employees whose information was impacted by the attack. The letter explains:
On July 24, 2020, the Company learned for the first time that some Company data had been posted on the internet without authorization on July 21. Most of the information was legacy data (approximately 15 years old) and included some of your personal information along with other company records.
The Company immediately investigated this posting to learn what happened with the assistance of a leading specialist routinely retained to assess and mitigate cybersecurity incidents. The posting was determined to be related to an earlier ransomware attack on May 2, 2020 that had been fully contained without any indication that data had been removed based on available records. No payment was or will be made to the criminals responsible for this malicious/criminal act. The Company was able to use backups and restore business continuity promptly. As law enforcement and others have reported, ransomware attacks have increased and have targeted the healthcare industry in the United States and around the world including during the global pandemic.
What Information Was Involved?
The personal information that was involved included your first and last name, and Social Security Number.
To be clear, other personal information was not involved. For example, the Company has concluded that there was no driver’s license number or government identification number, credit card or financial account number, medical or health insurance information, biometric data, or user name or email address along with a password or security question and answer.
You can read their whole notification letter on the California AG’s web site.