“Without Undue Delay,” Part 2
If you follow the news on how lucrative ransomware attacks are, you have probably read how the Ryuk threat actors have made an estimated $150 million, and how Egregor threat actors are also doing a lot of damage. Neither group focuses solely on the healthcare sector, but recent reports by Check Point and Fortified Health Security both point to healthcare being one of the most attacked sectors this past year.
While we (the general public) do not have much visibility into Ryuk, we do have some visibility into how often some teams of threat actors attack and dump protected health information on dedicated leak sites when victims do not pay their ransom demands.
In November, DataBreaches.net looked at whether ransomware attacks on U.S. medically-related entities were disclosed quickly to patients and regulators when protected health information (PHI) had been publicly dumped. And in a follow-up post last week, we looked at whether some of the unreported incidents had eventually been reported (spoiler alert: a lot still hadn’t been disclosed by the victim entities).
Those 30 reports were not the only reports of ransomware incidents that appeared on threat actors’ dedicated leak sites in 2020, of course. All of the entities listed below were also named on dedicated leak sites. As in the original report, these incidents are grouped by threat actor(s), and not chronologically. Note that some of these reports are quite new/recent, and inclusion on this list does not mean that we think that the entity should have already notified regulators or patients. Indeed, inclusion on this list does not definitively mean an entity was even hacked, as once again, there appeared to be some errors in attribution.
Incidents Posted by Conti Threat Actors
Galstan & Ward Family and Cosmetic Dentistry (Galstan & Ward) were attacked on or about August 31, but would later reveal that they did not know they had been attacked with ransomware or that there was any ransom demand. When their system seemed a bit wonky, they had their external IT vendor wipe the server and reinstall from backups. On September 9, they were surprised to receive a call from the threat actors telling them that they had been attacked and that they needed to pay so that patient data was not dumped. On September 11, the dental practice learned that some files had been dumped, although those files did not contain any patient information. On November 6, they notified HHS that 10,759 patients were impacted. And on November 13, Galston and Ward notified their patients by letter, a copy of which was posted on their web site.
Gastroenterology Consultants Ltd in Nevada was added to Conti’s leak site on December 23, with 27 files uploaded as proof. The files contained detailed patient information, some of it as recent as the beginning of December 2020. There has been no public response or statement by the medical group as yet, and they have not responded to this site’s inquiries. On January 8, Conti dumped more of their patient files. There are now almost 800 files dumped.
Golden Gate Regional Center was added to Conti’s leak site in late September, shortly after they were attacked. On November 20, GGRC posted a notice on their site about the incident. They also reported the incident to HHS, noting that 11,315 patients or clients were impacted. Their report to HHS checked a box indicating the involvement of a business associate (BA), but it is not clear what involvement any BA had, and GGRC did not respond to inquiries from this site.
Taylor Made Diagnostics in Virginia was added to Conti’s site in December. They, too, have not responded to emailed inquiries following the first small dump of patient data, and they and have not posted anything on their site to alert patients. On January 8, Conti dumped what they described as 100% of the stolen files — 3,464 patient files.
Warren-Washington-Albany ARC (WWAARC) was also added to Conti’s site in December. WWWAARC is a Chapter of The Arc New York, and is a nonprofit organization serving nearly 1,000 people with intellectual and developmental disabilities. Some of the most concerning data dumped by the attackers include payroll/tax info for hundreds of employees, and incident discussion notes from monthly board meetings. The latter do not name the clients or individuals involved, but provide highly detailed and specific information about accidents, injuries, concerns, and other serious matters. DataBreaches.net called WWAARC to make sure they were aware of the breach and data dump. A detailed phone message was left and a second employee was also informed. No one ever called back and there is currently no notice on WWAARC’s site at this time.
Leon Medical Centers in Florida was also added to Conti’s site in December. The multi-location entity responded promptly to this site’s inquiry asking them for a statement. Conti eventually dumped more than 230 GB of data, including almost 2 million files that contained PHI (these files have not yet been deduplicated to get the number of unique patients). Employee info was also dumped. Conti claims to still have more files that they will dump. On January 8, LMC issued a press release saying that they were preparing letters to patients and employees and had notified law enforcement and HHS. Their report to HHS has not yet appeared on HHS’s public breach tool.
Incident Posted by REvil (Sodinokibi) Threat Actors
New Jersey Dental Hygienists’ Association (NJDHA) was allegedly attacked on or shortly after October 20 — but was it really them? REvil added a listing about them to their leak site on Nov. 5 that has not been updated since then. The data dump contains more than 70,000 files in one archive that appear to be related to patient care and histories, and almost 90,000 files in a second archive. The files contain personal and protected health information including insurance and billing information. Banking information is also included with business/financial files. After inspecting the data, DataBreaches.net reached out to Dental Health Associates, P.A. DHA also has a domain name of NJDHA, but they are .com and not .org, and the data appeared to come from them and not the dental hygienists’ association. DataBreaches.net does not know if there is any association between the two entities or this is just a coincidence and REvil just linked to the wrong entity, but Dental Health Associates, P.A. name and letterhead was found in numerous files. DHA did not respond to an inquiry sent last week and last night and there is nothing on their site at this time to alert patients to any breach.
Incidents Posted by DoppelPaymer Threat Actors
Reconstructive Orthopedic Center (ROC) in Houston was added to DoppelPaymer’s leak site in mid-November. As previously reported, the data dump contained a large amount of PII and PHI. ROC has not responded to multiple inquiries in November and December, and there is no notice on their web site. Nor does any listing for them appear on HHS’s public breach tool. Their listing on the threat actors’ leak site has been viewed almost 17,000 times as of the time of this writing.
Apex Laboratory, Inc. has locations in New York and Florida. DoppelPaymer added them to their leak site in mid-December with a combination of old and new files as proof. They, too, did not respond to inquiries, but two days after DataBreaches.net starting calling their clients to see if they knew about the breach, Apex posted a statement on their site about their response. See this site’s follow-up report on the Apex incident for more details about the data, Apex’s incident response, and timeline.
Incidents Posted by Egregor Threat Actors
Egregor, who some believe involve the threat actors previously known as Maze, recently listed a few medical entities on their leak site (their site has been down all week):
Paramount Dental Studio in Huntington Beach, California is listed as a victim, but the data Egregor dumped as proof is not from Paramount at all — it appears to be a data dump from an Australian dental surgery practice — a dental practice that Egregor does not list on its site. Neither Paramount nor the Australian dental surgery have responded to multiple inquiries from DataBreaches.net.
Coldwater Orthodontics in Michigan was listed by Egregor in mid-November. The threat actors’ proof included some data, but the data do not appear to involve any patient information and are more oriented to business forms and marketing at this point. It is not yet clear whether the attackers actually accessed or exfiltrated any protected health information. Coldwater has not responded to any inquiries and this incident does not appear on HHS’s breach tool. Egregor has not updated that listing since its original posting.
Delta Dental Plans Association in Oak Brook, Illinois was also added to Egregor’s leak site. DataBreaches.net has gotten no response to inquiries to the DDPA and there is no notice on their web site to disclose any breach.
Incident Posted by Maze
Maze Team, who is often credited with starting the recent trend of dedicated leak sites to put pressure on ransomware victims, announced on November 2 that they had closed their project and that in due course, their leak sites would disappear.
One of their older attacks was not included in Part 1 of Without Undue Delay, so we include it now, even though the data dump is no longer available online:
All About Potential Family Chiropractic, PC, is the office of Drs. Scott and Dawn Hourigan in Spearfish, South Dakota. DataBreaches.net reported on this breach at the beginning of February, 2020, but the doctors never responded to inquiries, and never posted anything on their web site about the attack. We do not know if they ever sent out notifications to patients whose PHI was accessed and exfiltrated. The incident does not appear on HHS’s public breach tool.
Incident Posted by NetWalker
Crozer-Keystone Health System was added to NetWalker’s leak site in June, as this site reported at the time. On August 14, they notified HHS of the incident, reporting that 6,863 patients were impacted. On October 26, they posted a substitute notice saying that the breach had been discovered on June 4. Why the substitute notice was first published more than 2 months after notification to HHS is unclear, but of note, they wrote:
Based on our ongoing investigation, we believe that no patient data was misused or made public and that no such data is at risk for future misuse or public disclosure. We took further measures to ensure that any impacted data was returned.
From that last line, it sounds like they paid ransom. But if they reported 6,863 patients were impacted, then their “belief” that data won’t be misused is no different that Blackbaud telling victims that they were confident the attackers they paid could be trusted to delete all data and not misuse it.
In this second part of Without Undue Delay, we reported 15 more ransomware attacks targeting medical sector entities. Of these 15, four have already reported the incidents to patients or to HHS. Two others have acknowledged having been attacked, but have not yet sent letters to patients. And we saw that two victims were likely misidentified.
DataBreaches.net will continue to follow up on all of the incidents reported in Parts 1 and 2.
Any corrections or updates to this report can be e-mailed to breaches[at]databreaches.net.