On November 24, the NoEscape ransomware group added Granger Medical Clinic in Utah to their leak site.
As proof, NoEscape provided a filetree and screenshots. The filetree listed numerous files related to facilities and other internal documents, including files whose names appeared to relate to former and current providers and personnel. Some filenames suggested they would contain confidential information including disciplinary actions and terminations as well as Family Medical Leave Act (FMLA) documentation for employees.
The screenshots provided included some employee files and internal documents.
NoEscape wrote on their listing:
The company’s network was successfully encrypted and compromised.
After lengthy negotiations, the guys made their choice.
We have more then 35GB sensitive data, such as:
Confidential agreements and contracts, NDA.
More than two thousand documents on dismissal and the right to employment of employees, as well as personal data of patients which contain data such as First last name\dob\adress\city\state\zip\mail\pthone\ we also have more than 2 thousand passports and tens of thousands of SSN cards!!!
Audits, reports, finance, databases, budget, banking! Letters, insurance, Credentialing, licenses, payments, invoices, Payroll and tens of thousands of other confidential and important documents, the leakage of which will lead to multi-million dollar losses.
From the above, it sounds like there were negotiations that fell apart and Granger decided not to pay. NoEscape’s message ended:
You only have one chance and that is to pay us $700,000 within 24 hours or within 24 hours we will publish here absolutely all the data we have.
NoEscape’s notice does not indicate when they first accessed or compromised Granger.
The listing, posted on November 24, was still there when DataBreaches checked on November 25, but this morning, the last threatening line had been removed and replaced with a single word: “Bye!” and NoEscape leaked more than 31 GB of files in a multi-part leak.
DataBreaches has not yet acquired all the data to attempt to determine what is in the leak, whether there is any patient data in there, and if so, how much. Given how slow the download speed is and how many parts there are to download, it will take considerable time.
DataBreaches sent email inquiries to Granger yesterday and today but has received no reply as yet. This post will be updated when more information becomes available.