On February 3,  Conti threat actors added Nocona General Hospital in Texas to their leak site, posting 20 files as proof that they had accessed the hospital’s files.  Many of the files contained patient records from 2018, and appeared to be pdf scans or doc files. They did not appear to be records from any current EMR system.  DataBreaches.net sent an inquiry to Conti asking them whether they would state whether they had hit some older server, but  received no reply.

Today, the threat actors dumped even more files, bringing the total number of files to more than 1,760.

As before, most of the files were not new patient records. In fact, some appeared to be old files, circa 2010.  The files did contain protected health information (PHI), including patient name, address, date of birth, Social Security number, diagnoses, and admission records showing why the patient sought treatment in the Emergency Department. There were also records containing health insurance information and requests for prior authorization, etc.

Today, in response to inquiries sent to the hospital over the past days, DataBreaches.net received a call from Brian Jackson of Jackson & Carter, external counsel for the hospital. He did not have a lot of information to share at this point, but stated that they believed that the threat actors had not been able to access the EMR system, and that what they had accessed appeared to be an older server that held files relating to the transfer of patients.  He reiterated what he had told NBC News — that they had not seen any ransom demand — but acknowledged that there might have been one and they just didn’t read it.  They received no phone call demands, he stated.

After looking through more of the data dump, they do not appear to me to be from a folder that would relate to the transfer of patients to other hospitals or facilities, and it’s not clear why there would be files from 2010 in with files from 2018 and even early 2020.  At some point, forensics will probably be able to clarify exactly where these files came from on their system.

Was Nocona even actually attacked with ransomware? When Jackson was asked whether the files were locked, he responded that they had been, but then it turned out he meant that the files had been secured before the attack. When the question was clarified for him, he responded that he believes that they were attacked with ransomware, but it clearly was not an answer said with any confidence.  He also stated, in answer to another question, that the hospital’s consultants believe that they have kicked the attackers out of their network.

At this point, DataBreaches.net does not know if Conti has more files from Nocona that they have not yet dumped, or if today’s dump was the last of what they have. It’s also not clear whether any of Nocona’s files were encrypted by the attackers, and given Jackson’s confusion about some terms, I wonder if it’s a file transfer system and not a folder about transferred patients that he meant to describe. In any event, this post will be updated or a new post created as more information becomes available.