Circles of Care sued over data breach involving confidential and sensitive information
Circles of Care is a healthcare provider in Florida offering diagnostic and treatment services to those with behavioral, substance abuse, or mental health issues.
In September 2022, they were the victim of a ransomware attack. Circles of Care first detected anomalous activity on their server on September 21, but according to their recent website notice, it wasn’t until November 29, 2022, that their investigation discovered that they had experienced unauthorized access on September 6.
Their investigation also discovered that some information had potentially been obtained including first and last name, date of birth, social security number, address, phone number, driver’s license number, bank routing and account numbers, medical account number, provider name, service dates, diagnosis, and medical procedure codes.
On January 3, Circles of Care notified HHS that 61,170 patients may have been affected.
In their substitute notice on their website, they write, “To date, we are not aware of any reports of identity fraud or improper use of personal information as a direct result of this incident.”
That may be true, but it is not the whole story.
On October 6, the ransomware group known as AlphV or BlackCat added Circles of Care to their dedicated leak site. Their listing used a date of September 20 (which was probably the date that the ransomware was triggered). They also claimed they exfiltrated 313 GB of data with:
– Internal Company Data (Employees personal data, CV’s, DL’s, ID’s, SSN’s, Financial reports, Accounting data, Insurance, Agreements and much more);
– Clients documentation (DL’s, ID’s, SSN’s, Financial data, Credit Cards Data, Analyses, Agreements and much more);
– Complete network map including credentials for local and remote services;
– And more…
As proof of access to Circles of Care’s server(s), BlackCat posted screenshots of some metadata from the server showing that Drive C: had 313 GB of data, identity documents of two individuals, and files concerning patients with sensitive information.
One of the screenshots, heavily redacted by DataBreaches, was a portion of a forensic competency examination for a court. It included the individual’s name, date of birth, the charges they were facing, and other details.
A second screenshot even more heavily redacted by DataBreaches.net, concerned an adolescent with significant developmental delays and issues. The letter describes her symptoms, her diagnoses, the doctor’s recommendations for treatments, and her prescribed medications and doses.
Both of the screenshots described above appear to be from 2021 files. A third screenshot with sensitive psychiatric information on a 9-year-old child was from 2019, and a fourth screenshot with adult patients’ names, date of birth, phone number, and SSN was undated, and it is not yet clear how much recent data BlackCat may have acquired.
Circles of Care’s notice doesn’t disclose enough
Nowhere in Circles of Care’s statement do we see any disclosure that the threat actors have leaked some personally identifiable information and protected health information on the dark web already and will likely leak more if their demands are not met. Nowhere in their notice do we see any mention of ransomware or any ransom or extortion demand. And nowhere do we see any statement as to whether files were locked or not.
BlackCat’s listing does not indicate the amount of their ransom demand. Nor do they claim they locked any files.
DataBreaches sent a contact form inquiry to Circles of Care earlier today asking for the missing details. No reply has been received. DataBreaches also reached out to BlackCat on Tox to see if they would provide some additional details at this point, but they have not replied. This post will be updated if either Circles of Care or BlackCat replies.
At least one lawsuit filed already
In the interim, at least one potential class action lawsuit has already been filed in federal court in the Southern District of Florida. The case is James Landini and Kaela Marie Perry vs. Circles of Care, Case 0:23-cv-60191.
The complaint does not claim the named plaintiffs have suffered any specific concrete injury. Their complaint seems to be more of the form that they will have to be forever vigilant, and they have been deprived of the value of their personal information and protected health information — which the complaint attaches commercial value to. The complaint pretty much seems to list every law governing information security and privacy and claims that Circles of Care was negligent in not adhering to those requirements. The complaint doesn’t point to a single specific thing Circles of Care allegedly did or didn’t do and seems to be more of a “they had a breach we think was avoidable, so they must have done something wrong or not done something they should have done.”
The above is not a flattering description of the complaint, and it may be that Circles of Care was negligent or sloppy somehow. But so far, the only criticism I see is that Circles of Care should have known in September or by October 6 when BlackCat posted data on their leak site that this was a serious threat to the confidentiality of patient data and yet they never timely told patients about the leak, the leak site, or the possibility or actual likelihood that more data will be leaked.