UT: Astro Team threat actors dump patient-related files allegedly from Eduro Healthcare

Eduro Healthcare is a Salt Lake City, Utah based company providing transitional care, skilled nursing and rehabilitation services, and assisted living.

Eduro provides an email address to use for contact. Sadly, it does not work. Nor do they seem to respond to contact form messages. Or emails to their executives.

On April 7, a relatively new group of threat actors called Astro Team added Eduro Healthcare to their dedicated leak site, claiming to have exfiltrated 40 GB of data.  Astro Team’s ransomware has reportedly been linked to Mount Locker ransomware.

On April 23, Astro Team dumped all the data, presumably because Eduro failed to pay unspecified ransom demands. Whether Eduro ever responded at all is unknown to DataBreaches.net. Nor can DataBreaches.net report with confidence that Eduro’s system(s) were encrypted, but given what is known about Astro Team, it seems plausible.

Astro Team Listing for Eduro

What this site can report with somewhat greater confidence, however, is that the data dumped includes what appears to protected health information (ePHI).  The following screencaps, taken by DataBreaches.net and redacted by DataBreaches.net,  show that there were files with EOBs (Explanation of Benefits) from health insurers. EOBs may include patient names, health insurance information, date of birth, diagnoses, and treatment codes, as well as dates of services and amounts.  Financial statements related to named patients for 2015-2018 were included in the dump, sorted by insurance carrier, as well as Medicaid audits and billing records.

Nursing Facillity Level of Care Form

In one folder alone, there were more than 8,000 scanned files relating to patient accounts or services and billing, including past due letters and attempts to locate patients whose accounts were unpaid.

DataBreaches.net did not attempt to calculate the number of unique patients, but noted that the data were old: 2015-2018 and there were numerous references to Rio at Cabezon.

Eduro Healthcare acquired Rio at Cabezon in May, 2018, and in its latest email inquiry to Eduro, DataBreaches.net asked whether it was possible a legacy server had been compromised. There was no answer.

No incident involving Eduro has appeared on HHS’s public breach tool, and there has been no mention of any breach on Eduro’s web site or Facebook page.

Based on the data dump, the files may have been exfiltrated on March 5, 2021, but even that is not definite. DataBreaches.net made no attempt to contact any patients at this point, hoping that Eduro will issue a statement.

So if this is eventually confirmed as a breach, when did Eduro first discover it? And what, if anything, have they done in response?

DataBreaches.net will update this post is a response is received. DataBreaches.net also reached out to the threat actors. Who knows? Maybe they’ll provide more details.




About the author: Dissent

Comments are closed.