Nine months after ransomware attack, Atlantic Dialysis Management Services notifies patients and regulators
In August 2022, DataBreaches reported a ransomware attack on Atlantic Dialysis Management Services (ADMS) by Snatch Team. DataBreaches first learned of the breach in June 2022, when Snatch Team named ADMS on their leak site. Between then and August 16, when DataBreaches reported on the incident, ADMS ignored requests from this site for information about their response to the attack. Even after Snatch Team started leaking data and DataBreaches contacted ADMS again, they did not reply. DataBreaches’ reporting in August 2022 included examples of what had been leaked by then and questioned some of the claims ADMS made in their press release of August 5. DataBreaches reported, in part:
Nowhere does ADMS’s statement of August 5 indicate that there was an extortion attempt in connection with this incident, that some data had already been leaked on the internet, and that more might be leaked.
On January 15, 2023, Snatch Team leaked 39 GB of files from ADMS. As of today, there appear to have been 62 downloads of data that includes personal and protected health information.
ADMS’s notice of August 5 is still available on their website and has not been updated, even months after 39 GB of files were dumped. Their website notice still does not tell people that their personal and protected health information was exfiltrated and dumped on the internet.
Their letter to patients, a copy of which was submitted to the Massachusetts Attorney General’s Office, begins:
Atlantic Dialysis Management Services, LLC (“ADMS”) writes to notify you of a recent incident that may impact some of your personal information described below. We take the privacy of information in our care seriously. At this time, there is no indication that any information has been misused. However, ADMS is providing this notification to you out of an abundance of caution and so that you
may take steps to safeguard your information if you feel is it necessary to do so.
What We Are Doing:
ADMS has taken every step necessary to address the incident and is committed to fully protecting all of the information entrusted to us.
Every step necessary except notifying people last year after they first became aware of a breach? Every step necessary except fully disclosing to patients that their data is on the clearnet and dark web and available for download?
This week, ADMS notified HHS of the incident as a business associate. They filed 14 reports on March 21 and March 22 (although one might be in error as a duplicate).
For the 13 reports filed with HHS on March 22, a total of 16,121 patients were reportedly affected. That number is not necessarily the total number of patients affected if some covered entities decided to do their own notifications.
DataBreaches is not posting screencaps from the 39 GB data dump at this time but continues to be concerned when entities do not fully disclose to patients when their personal and protected health information has not only been stolen but leaked.