Update: Goodman Campbell Brain and Spine ransomware incident affected 362,833 patients and employees
On June 9, DataBreaches reported that Goodman Campbell Brain & Spine in Indiana had apparently become a ransomware victim of Hive threat actors on or about May 20. The threat actors added the medical practice to their dedicated leak site on June 8 and leaked a “proofpack” that contained passwords for accounts as well as personal and financial information on doctors. The leak also included information on named patients with their diagnoses and procedures, with some insurance information. As DataBreaches noted in that report, the medical practice had already disclosed the incident on their own website.
On July 19, Goodman Campbell updated their website notice again and sent out notification letters to individuals. In a submission to the Maine Attorney General’s Office filed by their counsel at Hall, Render, Killian, Heath & Lyman, P.C., Mark Swearingen indicated that a total of 362,833 persons were affected. The submission does not break down how many of those were employees and how many were patients, and the medical group’s report is not yet displayed on HHS’s public tool to give us the number of patients affected. What we do know from Goodman Campbell’s disclosures are that the data types for any patient might include their name, date of birth, address, telephone number, email addresses, medical record number, patient account number, diagnosis and treatment information, physician name, insurance information, date(s) of service, and Social Security number.
But the July 19th letter to those affected, provided to the state as a copy of what was sent to those affected contains a curious statement:
While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the Dark Web, which is a portion of the internet that cannot be found by search engines and is not viewable in a standard web browser and is commonly used in these types of attacks.
That statement is not mirrored in their July 19th website update. Nor is it accurate.
In a June 17 update on the Goodman Campbell’s site, they wrote:
While our investigation with forensic experts and law enforcement officials is still ongoing, we have determined that a number of files obtained by the cyber criminals during the course of this cyber-attack have been posted on the dark web.
That statement was accurate. So where did Goodman Campbell get the idea that data may only have been exposed for 10 days? As of a check yesterday, the data from the proofpack posted on June 8 are still freely available.
DataBreaches emailed Goodman Campbell yesterday to inquire why they claimed data was on the dark web for (only?) 10 days. No reply was received.
DataBreaches will continue to monitor dark web sites including Hive’s to see if there is a major data leak from this incident at some point. It would not be unusual for Hive to do a full data leak or dump months after an entity refused to pay ransom.
But even if Hive does not dump more data than they have already leaked, patients and employees of Goodman Campbell should understand that their personal and protected health information is still in the hands of criminals who may dump it or misuse it at any moment. Goodman Campbell appears to be offering those affected one year of complimentary credit report monitoring through TransUnion. That provides the ability to check your credit report to determine if there are any suspicious changes, but it’s not the same as monitoring dark web sites to see if your name or identity information has shown up anywhere.
In this type of situation where patients and employees may not know when the situation changes, it might be prudent to consider putting a security freeze on your credit report so that new accounts requiring the use of a Social Security number cannot be opened if the lender does a credit report check.