“Without Undue Delay, Part 1:” Update on earlier ransomware cases
In November, DataBreaches.net published a commentary arguing that patients need to be notified sooner of ransomware dumps even if HIPAA would seem to allow up to 60 days. As a companion to that piece, this site looked at 30 claimed ransomware attacks on U.S. healthcare entities that had been revealed on dedicated leak sites by threat actors in 2020. Our analysis noted whether there had been any public disclosure by the victims, if the incident had appeared on HHS’s public breach tool, and/or if there had been any publicly available state attorney general site.
What we found at the time was that only a minority of the 30 entities had issued any publicly available notice or information for patients that we could find. Many of the entities repeatedly ignored inquiries from this site asking whether patient data had actually been breached, and if so, whether patients or regulators had as yet been notified.
The 30 claimed attack victims discussed in the report are listed below. Those for whom we had found some type of notification are indicated in boldface in the table below:
1 Two different threat actors claimed to have attacked Ventura Orthopedics and dumped different data.
2 The threat actors had not dumped any patient data so it was — and is — unclear whether the incident definitely involved PHI although there was some proof that the entity had been attacked.
3 The original report may have erred in naming Tarbet, as it was later discovered that Amara Medical Aesthetics had posted a notice on its site on October 26 that seemed to relate to the breach identified as Kristin J. Tarbet, MD by Maze threat actors. Amara and Tarbet are associated entities. Did Maze identify the wrong victim or system? Perhaps. Tarbet never responded to inquiries and the Amara notice was more than five months after the first data dump with patient data. No report from Amara or Tarbet appears on HHS’s public breach tool.
4 The “proof” offered for this entity was not from that entity, and they never responded to inquiries as to whether they had been attacked.
DataBreaches.net followed up on the incidents where we had not found any notifications or disclosures by the November 9th report. In one case, we found that there was still no evidence of any hack provided by the attackers (the Abington claim by Maze). And in two other cases, there was still no evidence of any PHI dumped (Adams County Hospital and Med-Care Infusion), so we are not sure what the attackers actually accessed and exfiltrated.
Of 14 other follow-ups, six entities have since provided some notice or notification since our November 9 report:
- Riverside Community Care Inc
- University Hospital New Jersey (UHNJ)
- Olympia House (Sonoma Recovery)
- Sonoma Valley Hospital
- Wilmington Surgical; and
- Beacon Health Solutions
Three of the above six entities appear on HHS’s public breach tool at this time.
With that update, we now have (only) 18 of the original 30 that have sent notifications to regulators or publicly posted notifications that we could find, even though some of the entities were breached months ago. Did they notify patients and/or regulators, but not publish anything on their sites or to HHS? We simply do not know what happened, if anything, and what they did in response because the entities have ignored inquiries.
Keep in mind that these reports only address incidents claimed on leak sites. We often have no window into attacks by threat actors who do not maintain leak sites (such as Ryuk). As one consequence, some of the largest or most impactful attacks have never shown up at all on dedicated leak sites. The more successful threat actors are, the less likely we are to see any mention of victims on their site, but the entities are still required under HIPAA to notify HHS and patients of reportable breaches.
DataBreaches.net will continue to follow up on the incidents described in the first part. In some cases, watchdog complaints have already been filed with HHS to ask them to investigate whether breached entities have actually notified them or patients.
But the 30 incidents in the first report were not a complete listing of U.S. ransomware incidents potentially impacting patients that had been posted on ransomware leak sites in 2020. In Part 2 of “Without Undue Delay,” to be published this week, we will report on other ransomware attacks against medically-related U.S. entities that also appeared on dedicated leak sites in 2020 and whether they have been disclosed to patients or regulators.
Corrections and updates to this post can be sent to breaches[at]databreaches[dot]net.
Update 1: Post-publication, this site was contacted about one of the as-yet-unreported incidents. As a result of that person’s keen eye and experience, DataBreaches.net has reached out to an entity who may be the actual victim of an attack attributed to a different victim name. This list may be updated when that entity responds to an inquiry DataBreaches.net sent to it today.