From a new report by InfoArmor:
InfoArmor has identified a group of bad actors performing targeted cyberattacks on healthcare institutions and their IT infrastructure, including connected medical devices such as Magnetic Resonance Imaging systems (MRI), X-ray machines and mobile computing healthcare workstations. This group of bad actors has performed at least four successful attacks against US-based organizations of varying size, compromising a significant number of medical records. The threat actors claim to have stolen millions of medical records and gained unauthorized access for ransomware distribution.
The four incidents InfoArmor refers to have all previously been reported on this site, but there are actually more than four that we already know about:
- A database from Farmington, Missouri with 48,000 patients’ records. DataBreaches.net subsequently identified that one as Midwest Orthopedic Pain & Spine clinic owned by Dr. Scott Van Ness. TheDarkOverlord subsequently confirmed that in a paste where they dumped 499 records, and in tweets.
- A database from Oklahoma City with 210,000 patients’ records. That one has yet to be publicly named, and although DataBreaches.net has a strong suspicion who it is, will not name them without more indicators.
- A database from Atlanta, Georgia with 397,000 records. DataBreaches.net identified that one as being from Athens Orthopedic Group, and although they never officially confirmed it to me, @tdohack3r did later name them in a tweet that was subsequently deleted.
- A database from Bronx, NY with 34,000 records. This one has not been identified and I’ve seen no further follow-up on it.
- A database from Fairview, Illinois with 23,565 patients’ records. DataBreaches.net identified this one as being from P&O Care in Fairview. Although they have not responded to several inquiries, field codes in the sample data in combination with pictures in an earlier tweet from @tdohack34 enabled identification.
- A database with 9.3 million records that were described as being from a large health insurer. DataBreaches.net believes that this was not necessarily a direct attack on an insurer, but may have involved a vendor or business associate. Much of the information appeared to be old, e.g., an email address listed for one member was their email address no later than 2012, and many other email addresses indicated email services that are no longer popular. Although the insurer DataBreaches.net believes is linked to this mess sent this site a carefully worded denial, they have not answered the question as to whether they were denying that this was a breach at one of their vendors. Here is their spokesperson’s most recent statement to me:
I checked with our team and there is no evidence to suggest our data or systems were compromised as it relates to this matter. Protecting our members’ and customers’ information is a top priority for us–we remain vigilant and continue to closely monitor the security and integrity of our environment.
Their statement does not really rule out a vendor or third party, especially when someone in the sample data, who was contacted by DataBreaches.net, identified this insurer as always having been their insurer.
None of the above attacks involved ransomware. From what the hackers told DeepDotWeb and the Daily Dot, there appear to have been ransom demands, but the demands were so that patient data would not be sold on the black market. As far as this site has been able to determine, the initial attacks did not lock up systems or interfere with operations of the targeted facilities.
To date, none of the above incidents have shown up on HHS’s public breach tool, and none of the above entities have issued public statements acknowledging any breach. I would assume that the entities all plan to notify HHS, even if they pay ransom, as their patients’ records fell into criminal hands, and even if the criminals promised to delete the data they acquired, there is no assurance or proof that they would.
Yesterday, the same hackers added a new offering:
Listed here is the source code, signing keys, and licensing database stolen from a large HL7 software developer located in the United States. This HL7 software has been distributed and used by hundreds of clients around the world. This software allows an organization to link hundreds of healthcare devices and databases together to help mitigate the cost of purchasing newer software products and expanding the life span of healthcare systems through the use of its integrated development environment that can be used to generate new assembly line style automation of processes and data transfer. In addition to the source code for the HL7 Interface Engine software, the private keys for signing the code will also be included as well as the licensing database that entails a full record of all clients and their deployment and status information. There are many legitimate and nefarious uses for this exclusive package offer. You are only limited by your imagination.
If you are a software developer located in the another part of the world, this bundled package would be perfect for your company and give you an edge over your regional competition.
The price tag? Over $500,000 at yesterday’s BTC conversion rates.
DataBreaches.net notified this entity of the breach last week after becoming aware of it and seeing evidence of it, but after an initial contact and telephone conversation, they did not respond to a follow-up email alerting them that the breach appeared to be much more extensive than they believed. Maybe they’ll believe it this week, as I would assume that they, too, are being hit with a ransom demand. DataBreaches.net is withholding publication of their name to give them a bit of time to investigate and to make the disclosure themselves.
So is the healthcare sector under attack by this group? Yes. And the healthcare sector appears to be sitting ducks. Both the TheDarkOverlord, in an interview with yours truly, and InfoArmor note concerns about EHR software. If a hacker is telling you that stealing patient data is child’s play because of your software, perhaps you might take that to heart? And if the hacker is telling you that he’s finding login credentials in plain text and then using them, is there something usable in that statement, perhaps?
As for me, as a healthcare professional, words fail to convey how disgusted I am… with our sector for lack of reasonable security, and with these hackers who put lives at risk and don’t give a damn that people who may desperately need treatment may not seek treatment for fear of their records being hacked and leaked. To them: I asked you to stop attacking vulnerable populations, but you wouldn’t agree. Maybe you will think about my request some more and agree. If so, I would love to hear from you to that effect. Otherwise, maybe you can take some of your profits from the ransom and go try to buy yourself a soul or compassion. You need both.