“Team Orangeworm” claims to be dumping CarePartners’ data from 2018 breach

CarePartners Logo

In June, 2018, CarePartners, a home care service provider to Ontario’s Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, revealed that they had been breached. The following month, after being contacted by the hackers, CBC News provided more details and reported that there was an extortion demand made by the hackers. At that time,  CBC reported

The company says its forensic investigation has so far identified 627 patient files and 886 employee records that were accessed. But the sample provided to CBC News appears to contain names and contact information for more than 80,000 patients alone.

CarePartners’ statement in July,  2018 indicated that they couldn’t confirm the accuracy of CBC’s claims.

Since July,  this blog did not spot any updates -until last night,  when DataBreaches.net was contacted by “team_orangeworm” who provided a link to a paste.  The CBC story had not named the hackers, and the “orangeworm” name is one used by Symantec in an April, 2018 report.  According to those contacting this site:

last year CarePartners was hacked by our group
all of their patient and company data was stolen as a result.

[…]

after giving CarePartners the benefit of the doubt, we have still not receieved the requested payment to not leak patients medical files. it seems they are not concerned with their patients privacy.

The hackers released two data dumps.  The first, an 891 MB compressed archive, was described as containing:

Company Financial documents
Hundreds of employee T4 statements (with SINS,DOB,Name,Address)
company banking information, accounts payable and wire transfers

That dump was described as  “just the first of 4 data dumps, the other 3 will be released soon.”  DataBreaches.net was unable to successfully download that dump after several attempts, and has emailed the hackers to ask if there is a mirror site.  Until data are obtained that can be examined and validated, it is still unconfirmed as to what the hackers may possess.

The second dump was described as an encrypted dump of  “CarePartners Patient Data” that includes:

over 80,000 complete patient medical files.
SINS, address, fullname, DOB, phone, health card numbers, medical conditions and treatments.

That patient file is  encrypted and “Team Orangeworm” advertises that the encryption key can be purchased for 5 BTC  by contacting them via a protonmail email address that they provide in the paste.

DataBreaches.net contacted CarePartners and requested comment on this latest development as well as some additional details about the original attack.  A spokesperson would not go beyond their media statements,  however, which now includes a statement on February 4 that states:

CarePartners reminds patients and employees that they continue to monitor their personal and personal health information, including online accounts.

The statement does not mention that the alleged hackers have been publicly dumping data or putting it up for sale.

CarePartners’ spokesperson declined to confirm or deny whether CarePartners would now pay any extortion demand or “request.”  He also declined to answer this site’s questions about whether the attack last year involved the kwampir trojan and whether the attackers had ever identified themselves as “Orangeworm,” or if that is something new.

Maybe the hackers will give me more information that CarePartners did. If they do, this post will be updated.

Update of February 8:  please see this post for more information on what was in the first data dump, which this site has now obtained.

 

About the author: Dissent