El Camino Health investigating claims of a data breach

El Camino Health is investigating a possible data breach involving patient data, but whose breach is it?

On February 22, DataBreaches received a tip about a listing offering patient data allegedly from El Camino Health in California. The listing was not on any of the usual leak sites, markets, or forums, and the poster was unknown to DataBreaches.

Top portion of blog post. Image: DataBreaches.net.

The listing read:

El Camino Health in Mountain View, CA had an unauthorized access of their network from September 2021 to January 2023

How did it happen? In September 2021 an employee was phished. access was initially blocked, but after a few tries the employee accepted the MFA prompt. vulnerability was exploited and moved laterally. The hacker created a backdoor so the MFA prompt was no longer needed.

4M+ records have been amassed. names are being dropped 500- 5000 at a time

if you want some random patient names, MRN, and physicians who saw the patients on 8/21/2022

What followed was more than a dozen rows of data with dates from 2021 – January 2023, formatted as:

Patient Last Name
Patient First Name
Location – Hospital Name
Physician Name

The poster also provided a few other names with dates of birth and a list of just patient names with no other fields. A linked paste contained more names.

“I have Full names, MRN, DOBs, Addresses and some phone numbers  for all of these. No SSN though,” the poster claimed.

DataBreaches reached out to the blogger, but discovered that the listing had already been removed. The poster did not reply to this site’s inquiry but later posted an apology and explanation:

To those asking:
I deleted the references because someone reached out to buy it, I gave them a sample and they bought the rest. So I will not be posting about it anymore. I’m on to the next one. First come, first serve!

But they did post about it again. On March 10, a new forum user with a very similar username appeared on BreachForums and appeared to be offering the same data that had allegedly already been sold.

DataBreaches has not been able to definitively prove it is the same data because the link to the sample data in the forum post has never worked. When asked by other forum users who wanted to see the data, the forum user said they would fix their non-working link in a few days, but by six days later, they had not fixed it.

The forum user claimed to have 26 GB of files that included patients’ personal information and information like medical diagnosis, reason of visit, and health policy information. Note that while original listing claimed September 2021 was the breach date, this listing claims July 2021 and offers no details about how the breach allegedly occurred. Image: DataBreaches.net.

El Camino Investigates

On February 23, after reaching out to the original poster, DataBreaches reached out to El Camino Health to ask them if they had suffered a breach or could respond to the claims. DataBreaches attached the text of the original blog post and the list of patient data to the inquiry.

El Camino responded that day, and DataBreaches subsequently learned that they had not been aware of any data security incident or issue until they received DataBreaches’ inquiries.

DataBreaches delayed reporting this incident until today to give El Camino time to initiate their investigation and possibly get some answers. Throughout the past few weeks, El Camino has provided this site with frequent updates on their investigation that DataBreaches agreed not to publish so as not to interfere with their investigation.

So what do we know so far? DataBreaches had immediately started trying to verify that the named patients were real people, and it was fairly easy to verify that for a sample that DataBreaches researched. It was also possible to verify that individuals named as patients in 2021 and 2022 rows lived in the Mountain View area in those years. So it does appear that patient data may have been acquired. But was it acquired from El Camino Health or was it acquired from a vendor? And was it acquired by the method the original poster claimed?

Having seen a lot of patient records over the years, DataBreaches was somewhat skeptical that the data posted in the sample came from the health system because of the formatting and fields.

DataBreaches submitted a private message to the forum user on BreachForums, asking them to clarify whether the data were obtained from El Camino Hospital, El Camino Health, or a vendor (and if a vendor, which one). They have not replied, even though they logged in after the message was sent to them.

Three weeks since they were first made aware of the claimed breach, El Camino continues to investigate to determine whether the data came from their system or some other source. They have provided DataBreaches with a statement as an interim disclosure until they have more facts to disclose.

El Camino Health is investigating claims of a potential disclosure of patient information on a dark web forum. We approach data security with the utmost seriousness and are working diligently with third-party experts and a partner organization to investigate these claims and ensure the security of our data and systems.

This incident has not affected our operations or patient care. Additionally,
based on the investigation conducted to date with the assistance of third-party cybersecurity experts, we have no indication that there is an active compromise to our systems.

Based on our current review, the information involved includes 14 medical imaging patients’ names, a medical record number, physician name, and date of service.

With our commitment to transparency and doing right by our patients, on March 15, we notified the patients whose medical information we know was involved to provide them with information on the incident and steps they can take to help protect their information. Additionally, we reported to state regulatory officials, as required.

Obviously, El Camino’s statement should not be taken to mean that there are only 14 patients involved or that they believe that there are only 14 patients involved, but the original listing only contained a limited number of rows with data, so they have notified those who they could confirm were El Camino patients, even though it may still not be clear whether the data came from their system or not.

Other notifications will be made if and when it is confirmed that protected health information was accessed or acquired, and when El Camino determines where the data came from.

About the author: Dissent

Comments are closed.