On Friday, Mulkay Cardiology Consultants at Holy Name Medical Center (“Mulkay”) notified the Maine Attorney General’s Office of an incident they discovered at the beginning of September. According to their report, a total of 79,582 people were affected by the breach.
A copy of their notification letter to patients, appended to the submission, explained that this was an encryption incident that occurred between September 1 and September 5. They state that upon learning of the incident on September 5, they promptly contained it and rebuilt their systems from backups. They also notified law enforcement and worked with a forensic security firm to investigate and confirm the security of their systems.
The investigation determined that the unknown individual had “acquired certain files from our systems during that time,” and the files contained some individuals’ information: name, address, date of birth, Social Security number, driver’s license number or state ID, medical treatment information, and health insurance information.
A website version of the incident report and notification was also posted on Mulkay’s website. It states, “Mulkay has no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft, but as a precautionary measure, individuals should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely.” Those whose SSN or driver’s license number were involved are being offered complimentary identity theft protection services.
Because of Maine’s reporting requirements, we know the total number of people affected, but we do not know how many of them were patients. The incident has not yet appeared on HHS’s public breach tool.
What Mulkay’s Notice Does Not Reveal
While their notification forthrightly acknowledges an encryption event, the notice does not reveal that the threat actors were the relatively new group known as NoEscape. NoEscape had added Mulkay to their dark web leak site on September 2 (while they were still reportedly in their system, according to Mulkay). According to NoEscape’s claims, they acquired 60 GB of confidential and personal data on more than 30,000 patients. Their listing threatened to destroy Dr. Mulkay’s reputation by leaking all the patient data.
DataBreaches reached out to Mulkay via a site contact form in September but received no reply. Inspection of a dozen files that NoEscape subsequently posted as proof of claims suggested that these were real patient files. A filetree that was also uploaded by NoEscapee indicated that the files were from the medical group’s Hackensack directory.
When DataBreaches checked NoEscape’s site again in mid-October, the Mulkay listing was still displayed, but the leak site itself appeared somewhat different as some of the listings were now tagged with “DDoS” notations that had not been there previously. Mulkay was one of the ones tagged with “DDoS” and an attempt to connect to their site failed with a 508 error. DataBreaches does not know for how long their site was under DDoS attack, but by the next day, the listing had been removed from the leak site and Mulkay’s site did not appear to be having any issues.
The Mulkay listing never reappeared on NoEscape’s site, suggesting that Mulkay paid some ransom demand. While it’s possible the listing was removed for some other reason, under the circumstances, it seems plausible.
In their notification, Mulkay claimed that they rebuilt their system from backups, so perhaps they didn’t pay ransom to get a decryptor but paid the threat actors to get NoEscape to remove patient files from the leak site, to pinky swear that they would destroy all data they had stolen, and to stop the DDoS attacks.
There was no mention in Mulkay’s notification about any ransom demand or paying any ransom demand. Nor was there any mention of any patient data being leaked on the dark web. Hopefully, they will have informed those people whose data was leaked.
DataBreaches sent an email inquiry to Mulkay asking them to confirm or deny whether they paid any ransom to NoEscape. No reply was received.