On January 21, Medical Healthcare Solutions issued a statement on its website about a ransomware attack, although they do not state that it was a ransomware attack. Nor do they identify the incident as an attack by Conti, but it was.
Medical Healthcare Solutions, Inc. (MHS), recently experienced a cyber-incident that impacted some protected health information (PHI) within its data network. MHS immediately shut down its data system, conducted an extensive investigation, notified law enforcement, and implemented additional security measures. On November 19, 2021, MHS discovered the unauthorized party may have removed files from its network. On January 8, 2022, MHS identified a final list of impacted PHI, and on January 21, 2022, sent notifications by mail to impacted individuals.
Some of the impacted information may have included: name, address, date of birth, sex, phone number, email address, Social Security number, driver’s license/state ID number, financial account number, routing number, payment card number, card CVV/expiration, diagnosis/treatment information, procedure type, provider name, prescription information, date of service, medical record number, patient account number, insurance ID number, insurance group number, claim number, insurance plan name, provider ID number, procedure code, treatment cost, and diagnosis code. MHS is issuing this notice on behalf of its clients, Harvard Medical Faculty Physicians at Beth Israel Deaconess Medical Center and Associated Physicians of Harvard Medical Faculty Physicians at Beth Israel Deaconess Medical Center.
The privacy and security of the personal information MHS maintains on behalf of its clients is of the utmost importance. MHS has established a dedicated assistance line for impacted individuals with questions or concerns at 855-675-3125, Monday through Friday, (except U.S. holidays), from 9 a.m. – 9 p.m., EST, or by mail at P.O. Box 3160, Andover, MA 01810-0803. In addition, MHS is offering impacted individuals up to 24 months of credit monitoring and identity protection services.
Notified individuals should take actions to help protect their information by remaining vigilant in reviewing their account and explanation of benefits statements and consider placing a fraud alert and/or security freeze on their accounts.
When did the attack occur, though, and when did the Massachusetts-headquartered MHS first discover it or should have discovered it? Conti threat actors added MHS to their dedicated leak site on October 27, 2021, which means that the attack had happened before then, and Conti had presumably been unsuccessful by that time at getting MHS to pay them any ransom demands.
Although MHS’s website statement does not reveal when the initial attack occurred, a filing by MHS to the state reports that their investigation revealed that files had been exfiltrated from their network between October 1 and October 4.
So could they have discovered the breach in early October instead of November 19? And how did they discover it on November 19? Was it because of a ransom demand with proof of claim or because some journalist contacted them to inquire about Conti listing them on their leak site? Or did they discover this through their own internal defenses?
On January 15, Conti leaked what they claim represents 95% of the files that they exfiltrated from the business associate.
MHS’s statement does not disclose that data have been, and remain, freely available on both the dark web and clear net (Conti has a clearnet mirror). And while they offer those affected 24 months of mitigation services, DataBreaches.net continues to maintain that entities should inform people when they know that data has been leaked and is being circulated or shared.
Although the incident may have been reported to HHS by now, it does not yet appear on HHS’s public breach tool so we do not know the total number of patients reportedly impacted by this breach if MHS reports on behalf of their clients (some clients may choose to report on their own).
A notification with a template of MHS’s notice to individuals has been submitted to the Massachusetts Attorney General’s Office, however, and appears below. As of the time of this publication, however, the incident has not been added to the state’s public list of breaches, so we do not know how many Massachusetts residents were impacted by this.
This post may be updated as more details become available.
Update 1: This incident was reported to Massachusetts on January 24, 2022 as impacting 118,417 Massachusetts residents. It has not yet shown up on HHS’s breach tool (they are only as current as Jan. 21 as of the time of this publication).