Why weren’t patients told that their data was dumped publicly?
On May 13, DataBreaches.net reported that Ako ransomware operators revealed that they had attacked North Shore Pain Management in Massachusetts. The threat actors announced the attack and dumped some of the practice’s files when the medical practice did not pay their ransom demand.
The data dump, consisting of more than 4 GB of more than 4,000 compressed files, included some patients’ personal and protected health information, as the redacted screenshots illustrated.
Since that time, North Shore Pain Management has ignored repeated requests by this site for information about the incident. It has even ignored an inquiry as to why they did not get the data dump removed from public access. To this day, the data dump with unencrypted patient data is still publicly and freely available to those who know where to look for it. Why didn’t the practice ask the hosting site to remove it (the hosting site does comply with such requests)? Did someone advise NSPM not to seek its removal? If so, who advised that and why?
On June 18, North Shore Pain Management notified HHS of the incident and reported that 14,472 patients were affected. This week, it also published a notice on their website. The notice states, in part:
On April 21, 2020, NSPM became aware that an unauthorized person gained access to the NSPM system and acquired some of our files on April 16, 2020. We worked with third-party experts, including the FBI, Secret Service, and privacy professionals, to investigate this incident and secure our network. The investigation determined that the acquired files contained information belonging to patients who directly paid NSPM or North Shore Anesthesia or whose insurance paid NSPM or North Shore Anesthesia between August 1, 2014, and April 16, 2020.
The notice dutifully lists all the types of information that may have been accessed by the threat actors. Then they include the now somewhat standard advice:
We want to assure you that we take this incident very seriously. We recommend that you review any statements that you receive from your health insurer or healthcare providers. If you see services that you did not receive, please contact the insurer or provider immediately. We also recommend that you review your financial account statements, and immediately notify your financial institution if you see any suspicious activity.
We are offering complimentary credit monitoring to patients whose Social Security number was involved.
You can read the full notice here. Nowhere does the notice inform patients that this attack involved ransomware and a ransom demand. But more disturbingly, nowhere does this notice inform patients that the threat actors already dumped some patient data and files on the dark web where anybody and everybody may have downloaded them or may still download them — and that the threat actors might dump more.
Why didn’t North Shore Pain Management disclose this in their notification? The fact that some data were already dumped is something that patients need to know to assess their risk and to take steps to protect themselves. These patients are not just at imminent risk of identity theft or medical ID theft. They would also appear to be at imminent and lasting increased risk of being spammed, phished, extorted, and/or possibly discriminated against because of their medical diagnosis or health history.
It is not known to this site what the threat actors intend to do next — whether they have more patient data that they will dump, or if they will contact individual patients and try to extort them not to release their sensitive medical information, or if they will sell the data to others who will abuse it for months before dumping it publicly, or none of the above. But in any event, this blogger believes that North Shore Pain has not fully informed patients. Not telling patients that their data has been dumped publicly is misleading them about the severity of the incident and their risk. Not telling them that more data may be dumped in the future may give them a false sense that they will not need to remain vigilant for years to come.
In our litigious society, I wouldn’t be surprised if some patient or patients file a potential class action lawsuit. If they do, and apart from the standard claims we see in such lawsuits, they may complain that NSPM didn’t take minimal steps to get their exposed patient data removed from public view. And they may also complain that NSPM never even told them that patient data had already been dumped and more might be dumped. If they do file a suit like that, I will be curious to see the outcome.