“Without Undue Delay,” Part 2

If you follow the news on how lucrative ransomware attacks are, you have probably read how the Ryuk threat actors have made an estimated $150 million, and how Egregor threat actors are also doing a lot of damage. Neither group focuses solely on the healthcare sector, but recent reports by Check Point and Fortified Health Security both point to healthcare being one of the most attacked sectors this past year. While we (the general public) do not have much visibility into Ryuk, we do have some visibility into how often some teams of threat actors attack and dump protected health information on dedicated leak sites when victims do not pay their ransom demands. In November, DataBreaches.net looked at whether ransomware attacks on U.S. medically-related entities were  disclosed quickly to patients and regulators when protected health information (PHI) had been publicly dumped. And in a follow-up post last week, we looked at whether some of the unreported incidents had eventually been reported (spoiler alert: a lot still hadn’t been disclosed by the victim entities). Those 30 reports were not the only reports of ransomware incidents that appeared on threat actors’ dedicated leak sites in 2020, of course.  All of the entities listed below were also named on dedicated leak sites. As in the original report, these incidents are grouped by threat actor(s), and not chronologically. Note that some of these reports are quite new/recent, and inclusion on this list does not mean that we think that the entity should have already notified regulators or patients. Indeed, inclusion on this list does not definitively mean an entity was even hacked, as once again, there appeared to be some errors in attribution. Incidents Posted by Conti Threat Actors Galstan & Ward Family and Cosmetic Dentistry (Galstan & Ward) were attacked on or about August 31, but would later reveal that they did not know they had been attacked with ransomware or that there was any ransom demand. When their system seemed a bit wonky, they had their external IT vendor wipe the server and reinstall from backups. On September 9, they were surprised to receive a call from the threat actors telling them that they had been attacked and that they needed to pay so that patient data was not dumped.  On September 11, the dental practice learned that some files had been dumped, although those files did not contain any patient information. On November 6, they notified HHS that 10,759 patients were impacted. And on November 13, Galston and Ward notified their patients by letter, a copy of which was posted on their web site. Gastroenterology Consultants Ltd in Nevada was added to Conti’s leak site on December 23, with 27 files uploaded as proof. The files contained detailed patient information, some of it as recent as the beginning of December 2020. There has been no public response or statement by the medical group as yet, and they have not responded to this site’s inquiries. On January 8, Conti dumped more of their patient files. There are now almost 800 files dumped. Golden Gate Regional Center was added to Conti’s leak site in late September, shortly after they were attacked.  On November 20, GGRC posted a notice on their site about the incident. They also reported the incident to HHS, noting that 11,315 patients or clients were impacted. Their report to HHS checked a box indicating the involvement of a business associate (BA), but it is not clear what involvement any BA had, and GGRC did not respond to inquiries from this site. Taylor Made  Diagnostics in Virginia was added to Conti’s site in December. They, too, have not responded to emailed inquiries following the first small dump of patient data, and they and have not posted anything on their site to alert patients. On January 8, Conti dumped what they described as 100% of the stolen files — 3,464 patient files.  Warren-Washington-Albany ARC (WWAARC) was also added to Conti’s site in December. WWWAARC is a Chapter of The Arc New York, and is a nonprofit organization serving nearly 1,000 people with intellectual and developmental disabilities. Some of the most concerning data dumped by the attackers include payroll/tax info for hundreds of employees, and incident discussion notes from monthly board meetings. The latter do not name the clients or individuals involved, but provide highly detailed and specific information about accidents, injuries, concerns, and other serious matters. DataBreaches.net called WWAARC to make sure they were aware of the breach and data dump. A detailed phone message was left and a second employee was also informed. No one ever called back and there is currently no notice on WWAARC’s site at this time. Leon Medical Centers in Florida was also added to Conti’s site in December.  The multi-location entity responded promptly to this site’s inquiry asking them for a statement. Conti eventually dumped more than 230 GB of data, including almost 2 million files that contained PHI (these files have not yet been deduplicated to get the number of unique patients). Employee info was also dumped. Conti claims to still have more files that they will dump.  On January 8, LMC issued a press release saying that they were preparing letters to patients and employees and had notified law enforcement and HHS. Their report to HHS has not yet appeared on HHS’s public breach tool. Incident Posted by REvil (Sodinokibi) Threat Actors New Jersey Dental Hygienists’ Association (NJDHA) was allegedly attacked on or shortly after October 20 — but was it really them?  REvil added a listing about them to their leak site on Nov. 5 that has not been updated since then. The data dump contains more than 70,000 files in one archive that appear to be related to patient care and histories, and almost  90,000 files in a second archive. The files contain personal and protected health information including insurance and billing information.  Banking information is also included with business/financial files. After inspecting the data, DataBreaches.net  reached out to  Dental Health Associates, P.A.  DHADataBreaches.netRead More