NC: Sandhills Center Provides Notice of Potential Data Theft
On July 30, 2021, DataBreaches.net reported on a claimed cyberattack against Sandhills Center in North Carolina. Data for sale had shown up on the “Marketo” site, and when DataBreaches.net looked at the “proof packs,” of data, they included psychological evaluations and other documents with personal and sensitive information. Much of the data was old, and Sandhills was not answering inquiries sent to it by this site.
Getting no response from Sandhills nor the North Carolina Department of Health and Human Services, this site filed a Freedom of Information Request with the NC DHHS to obtain records of what Sandhills had reported to the state.
In response, the state agency asked DataBreaches.net if it would withdraw its request in favor of a more informal response and sent the following statement:
Sandhills’ notified the Privacy and Security Office at the North Carolina Department of Health and Human Services of a data breach at Sandhills. The breach did not involve any client personal health information. Sandhills continues to work with NCDHHS and their cyber security insurance carrier about this.
DataBreaches.net responded to the state by agreeing to withdraw the public records request “for now,” but expressed concern and a need for the state to investigate the matter, informing the state agency, in part:
You wrote,”The breach did not involve any client personal health information.” That is demonstrably false. I am looking at files with personal health information — Medicaid information, ICD diagnostic codes, treatment plans, adminission (sic) dates, etc etc. There is a lot of personal and sensitive information on clients, even if some of it would be covered by FERPA and not HIPAA.
I am attaching just four files from a small sample that the threat actors provided me with for reporting purposes. I have left the filenames intact in the attached files so that Sandhills should be able to confirm them and find them on their server(s).
I understand that the threat actors claim to have 634 GB of data. That is a huge amount, especially if it is files like the scanned pdf files I have been looking at.
On August 12, the state responded:
I’ll get back to you when I know more.
That was the last this site heard from the state, but then yesterday, Sandhills issued a press release that states, in relevant part:
WEST END, N.C. Sept. 3, 2021 /PRNewswire/ — Sandhills Center LME/MCO (“Sandhills Center”) announced today that it has notified four (4) patients of suspicious criminal activity relating to the potential exposure of protected health information (“PHI”). While Sandhills Center cannot confirm whether any information in its systems was subject to unauthorized access, it has notified the four (4) individuals, as well as the Federal Bureau of Investigation, federal Department of Health and Human Services, North Carolina Department of Health and Human Services, and the general public in an abundance of caution.
What Happened? On or about July 21, 2021, an anonymous criminal contacted Sandhills Center claiming to be in possession of stolen data, including protected health information (“PHI”), from Sandhills Center’s system, and attempting to extort Sandhills Center for monetary payment. Sandhills Center promptly reported the matter to the FBI, the federal Department of Health and Human Services, and the North Carolina Department of Health and Human Services, and launched an investigation into the nature and scope of the alleged data theft. Subsequently, the North Carolina Department of Health and Human Services received an email from a second unknown individual attaching records containing PHI for four (4) individuals.
Sandhills Center’s investigation has been inconclusive; however, Sandhills Center has confirmed that the records were maintained by Sandhills Center, as well as a number of other entities. As such, Sandhills Center has provided written notification to the four (4) impacted individuals and is providing this public notice of the criminal threats in an abundance of caution.
What Information Was Involved? Sandhills Center is aware that an unknown individual has sent the North Carolina Department of Health and Human Services copies of medical records containing medical diagnosis/treatment information for four (4) individuals, which documents are in the possession of Sandhills Center, as well as other medical providers and/or regulatory authorities. More broadly speaking, Sandhills Center maintains documents containing medical diagnosis/treatment information for patients; however, Sandhills Center is unaware of any evidence suggesting those documents were accessed or acquired.
What Sandhills Center is Doing. Following its investigation, Sandhills Center has taken steps to further secure its environment and is reviewing existing policies and procedures and implementing additional safeguards to further secure the information in its systems. Although Sandhills Center cannot confirm whether any information in its systems was subject to unauthorized access, Sandhills Center takes these matters extremely seriously, and therefore is providing this public notice in an abundance of caution and after consulting with the North Carolina Department of Health and Human Services.
You can read the full press release with advice to those potentially affected here. Attempts to connect to Sandhillscenter.org at the time of this posting return a “site unavailable” message.
As an educated guess, DataBreaches.net is the “second unknown individual” who provided four files to the state agency. The submission was not made anonymously, but apparently the state did not identify this site as having been the one providing files to them.
In any event, it seems that Sandhills is saying that they could not confirm any breach of their system or exfiltration of data, and it is possible that the four files came from the system of another party or agency that might also have those records on those individuals. While that is certainly possible, is there any one agency or party that could conceivably have all of the four records and old records like that?
DataBreaches.net originally only had a relatively small proof pack from Marketo, and as noted in original reporting, that proof pack was confusing. DataBreaches.net found files in the proof pack that seemingly had nothing to Sandhills or other mental health agencies or support services in North Carolina and had reported:
In this case, the “proof pack” offered by Marketo was a confusing compilation of files that did not provide any compelling evidence that the files came from Sandhills Center or that the attackers had acquired any personal information on clients or employees. DataBreaches.net requested more proof, and was sent a second archive of files that did contain records that had Sandhills Center letterhead and other materials that are consistent with the Center’s mission and description.
Could the attackers have been so good that they left no trace of any intrusion or exfiltration? Could the attackers or Marketo have misidentified the victim? Either is possible.
At the present time, then, Marketo claims to be in possession of 634 GB of data that they claim came from Sandhills Center. Sandhills says they have not been able to confirm any access or exfiltration, so they are only notifying the four people whose files this site provided to NC DHHS and are providing public notice that probably will not be seen by many people whose records they created or stored over the past decades.
If Marketo provides proof that the data came from Sandhills or that their system was compromised, DataBreaches.net will follow up, but at this point, it’s not clear whose personal information was compromised and whose system was compromised.
Updated September 4: Post-publication, DataBreaches.net discovered that Marketo had dumped more data at some point. In light of that, DataBreaches.net has reached out again to the NC DHHS again to alert them than more than 1,000 people also have had their records with personal and/or sensitive information dumped publicly. Although these data are also old, it should be possible to determine exactly how many agencies or entities would have possessed copies of all of these files. Many more than 4 clients or patients likely need to be individually notified.