Four ransomware attacks on non-U.S. medical entities: Did anyone get notified?
So far, 2022 is not turning out to be a better year than 2021 when it comes to ransomware attacks on the healthcare sector. In its recent report, “The State of Ransomware in Healthcare 2022,” Sophos reports that ransomware attacks in the healthcare sector almost doubled from 2020 to 2021 and that while the ransom is more likely to be paid, somewhat less data is actually recovered:
On average, in 2021, healthcare organizations that paid the ransom got back only 65% of their data, down from 69% in 2020. Similarly, only 2% of those that paid the ransom in 2021 got ALL their data back, down from 8% in 2020.
Worryingly, reports have approximately doubled again when we compare the first five months of 2022 to the first five months of 2021 for breaches reported to the U.S. Department of Health & Human Services.
Outside the U.S., however, there does not seem to be as much media coverage or disclosure of breaches affecting medical entities, even though the GDPR or similar laws may impose some notification obligations.
In this report, DataBreaches.net notes four ransomware incidents in the healthcare sector outside of the U.S.: one in Argentina (OSSEG), two in Colombia (SaludTotal EPS-S and CIELD), and one hospital in Spain (Hospital San Jose). The threat actors involved are names already known to readers: LockBit, Vice Society, Conti, and Snatch Team.
Despite the threat actors publicly naming their victims and leaking data that often includes sensitive patient data, the victim entities generally did not post public notices about the breaches on their websites and they did not respond to inquiries from DataBreaches.
OBRA SOCIAL SEGUROS
Obra Social Seguros (OSSEG) provides health insurance services for the social work union. The Argentinian entity was added to Vice Society’s dark web leak site on March 28th. The content uploaded by Vice Society had folders, history files, scans, and more. Many of the files appeared to embed patient names or individuals’ names. One directory of scanned files appeared to relate to medical information on members.
The OSSEG incident was first covered by rosario3 on March 30, who also noted the extensive personal information that was leaked.
A notice on OSSEG’s website alerted members to “technical” problems but didn’t actually tell them that this was a cyberattack that compromised the privacy and security of their personal information:
Dear Members: We have detected technical problems in the central system of the Obra Social de Seguros. Our technicians are carrying out the work to solve these inconveniences as soon as possible. Any query or procedure that you need to carry out can be communicated with the following emails or cell phones:
That notice no longer appears, but there is now another notice:
We inform you that access to the web is enabled
exclusively to carry out Booklet, Pharmacy and
Remember that for face-to-face attention you must request your shift
through the On Line Shifts section
At the moment access to the Web is not enabled.
We are working to restore
all the information provided on our website as soon as possible.
Please excuse the inconvenience.
From already, thank you very much for your comprehension.
It is not clear to us whether that notice is in any way related to the ransomware incident.
DataBreaches sent repeated e-mails to OSSEG about the incident, but received no replies. Vice Society, however, did answer a few questions we had. A spokesperson informed DataBreaches that the attack occurred in Mid-March and Vice claims that they were able to encrypt about 70% of the network because the network administrator allegedly ignored basic security rules. All told, the spokesperson estimated that the dump contained 15-16 GB of data.
OSSEG never responded to Vice Society’s ransom demands at all, the spokesperson informed us.
Because OSSEG never responded to any of DataBreaches’ email inquiries about the incident, DataBreaches does not know if OSSEG ever individually informed any of the patients, employees, or providers who had their personal information accessed and publicly leaked.
SaludTotal is a health promoting entity in Colombia. A notice on their website dated May 2 disclosed that they had had a computer attack, although they did not specifically mention that it was a ransomware attack. As the entity worked to restore impacted services, it also apprised the public of the situation noting that virtual service channels for Virtual Office, Point of Care at Home, Mobile Application, WhatsApp COVID-19 and Pablo, the virtual advisor, had been deactivated.
SaludTotal reassured its 4.7 million clients that they were working diligently to restore and to continue to provide services and that they had filed criminal charges against the threat actors at the request of the Attorney General’s Office.
Although it wasn’t disclosed at that time, SaludTotal, like OSSEG, had been a victim of Vice Society. The ransomware group added SaludTotal to their leak site on May 11, 2022. As they generally do, Vice Society just dumped files with no overall statistics or directories provided. Inspection of the files revealed folders for different institutions providing services (IPS). Such institutions included hospitals, clinics, or other health centers.
In addition to internal organizational files such as invoices, purchase orders, and routine business records, there were also patient records for named patients, as the screencap below illustrates. Databreaches found that there were a number of clinical history records on named patients, with each record being 6-11 pages and replete with personal and sensitive information and medical details.
DataBreaches sent email inquiries to Saludtotal on June 13 and to some of the health facilities who had files in the data dump on June 15. SaludTotal was asked if they had notified patients whose personal information was leaked. The health facilities were asked if SaludTotal had ever notified them of any breach.
None of those contacted replied.
Note: SaludTotal and OSSEG are not Vice Society’s only healthcare sector victims. In January 2022, DataBreaches reported on their attack on Amaveca Salud in Spain. In that report, we also pointed to previous coverage of Vice Society’s attacks on Waikato District Health Board in New Zealand and Centre Hospitalier D’Arles in France.
Clinica Integral de Emergencias Laura Daniela
Clinica Integral de Emergencias Laura Daniela (CIELD) has provided healthcare services in Colombia since 2003. On January 17 of this year, Snatch Team added them to their site with a few screencaps. Subsequently, in March, Snatch Team leaked 1.6 GB of files.
In addition to their clearnet and dark web leak sites, Snatch Team’s telegram channel provided updates and links to info on CIELD. Redacted by Databreaches.net.
Inspection of the leaked data revealed more than 50 employee profiles with employees’ personal information, resumes, copies of identification documents, diplomas, professional credentials, vaccination certificates, and psychological interview notes.
Other files related to internal clinic operations or functions, such as emails, passwords, plans, and reports. And yet other files appeared to relate to patients.
In researching the report on Snatch Team, DataBreaches discovered that CIELD had originally been listed on Conti threat actors’ leak site in April 2021. At the time, Conti dumped 2.61 GB of files, comprising more than 10,700 files.
On February 19, DataBreaches reached out to CIELD to inquire about the incident and whether the incident listed on Snatch Team had been disclosed to the SIC (Superintendency of Industry and Commerce), employees, and patients. They did not reply.
DataBreaches contacted CIELD again on March 14 after we noticed that their Twitter account indicate displayed a name change to Organización Humanitaria Integral. Again, there was no reply. Nor was there any reply to an inquiry sent on March 25.
At that point, then, DataBreaches reached out to the Superintendency of Industry and Commerce to see if the clinic had notified them of the security incident and perhaps notified employees and patients whose personal data had been exposed in this incident. On May 6, 2022, We received a response from the Director of Investigation of Personal Data Protection, Mr. Carlos Enrique Salazar Muñoz. His response to our inquiries were somewhat surprising.
According to his reply, his office had not received any report from CIELD. That did not surprise us at that point, but he claimed that the entity wasn’t even registered in the National Registry of Databases (we were able to find it and were confused by that statement). But then the regulator indicated that if we wanted to file a complaint about CIELD and an alleged incident, we would have to send them proof. DataBreaches followed up by writing back to the regulator that we were not interested in filing a complaint, but merely wanted to know if the incident had been reported to them. Their response reiterated that they had no report from CIELD.
As if things weren’t confusing enough, on May 23, a routine follow-up check of Snatch Team’s site led to the discovery that the CIELD listing had been removed. Once again, we emailed CIELD/OHI. Once again, they did not reply. Nor did Snatch Team respond to an inquiry to them asking why CIELD had been removed from their site.
If the Snatch Team CIELD leak was the same incident claimed by Conti in April 2021, surely the employees and patients should have been notified by now? But have they been? Despite our efforts to find out, we were unable to get any answer on that.
Hospital San José, Las Palmas De Gran Canaria
Hospital San José was added to LockBit’s leak site on June 5. The leak includes folders that contain files concerning hospital administration and other internal documents, but there are also what appear to be medical reports and Covid testing-related files.
Some employee-related information was also leaked, including contracts. But the most sensitive information appeared to be the records of patient examinations, medical records, and emergency medical reports.
DataBreaches was unable to find any notice on the hospital’s website or on their Facebook page. DataBreaches sent email inquiries to the hospital both before (June 4) and after (June 8) LockBit actually leaked data but received no reply. An email inquiry sent to the data protection regulator, Agencia Española de Protección de Datos (AEPD) on June 8 also received no reply.
Although many countries have breach notification requirements, it is not clear to us whether any of the entities identified in this report have actually sent individual notification letters to affected employees or patients. They may have, but we just do not know. In fact, with a few exceptions, there is generally less media coverage of breaches in the healthcare sector in other countries than we tend to see here in the U.S.
If anyone has received a notification from any of the four entities discussed in this post, please forward a copy to chum1ngo[@]protonmail.com. If any researcher has additional information on any of these incidents, please contact that email address with the information.
FOR MORE INFORMATION, SEE:
- LockBit, Conti, and BlackCat Lead Pack Amid Rise In Active RAAS and Extortion Groups: Ransomware in Q1 2022.
- Unit 42: LockBit 2.0: How This RaaS Operates and How to Protect Against It
- FBI Flash: Indicators of Compromise Associated with LockBit 2.0 Ransomware
- AdvIntel: DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
- Exclusive – Hackers hit the Municipality of Palermo. Vice Society, “Sispi is lying”
Dissent Doe also contributed to the research and reporting in this article.