Healthcare entities in Saudi Arabia, Illinois, and Mississippi fall prey to Xing Team

Some threat actors have gained a lot of notoriety while others are lesser known. In this article, DataBreaches.net reports on a relatively unknown group that has been hitting the healthcare sector, “Xing Team.” Like other groups, Xing maintains a dedicated leak site. Currently on that leak site are three large data dumps from three different medical/healthcare entities — two in the U.S., and one in Saudi Arabia. DataBreaches.net reached out to all three entities, but received no responses. The following report should therefore be viewed as unconfirmed by the named entities, although quite a bit of data has been dumped to support such hypotheses. GlobeMed Saudi Xing Team claims to have acquired patient data, employee data, and financial reports from GlobeMed Saudi, a healthcare benefits management firm. GlobeMed Saudi was first added to Xing Team’s site on May 6, and then data was dumped on May 11. Xing claims to have exfiltrated 201 GB of data, and has already dumped 100 GB. The dumped files contain a lot of personal and sensitive information as well as routine medical records of visits, etc. As examples:  one spread sheet contained information on Suspected and Confirmed Cases of Corona Virus for the period  from 01-02-2021 until 11-2-2021 ( February). That file contained information on 79 named patients that included the guarantor, the hospital, the patient’s name, the individual’s number, Visa, date, the diagnosis on admission, whether a test for Corona was done, and if it was, the results. There was also a field for comments or update notes. As one would expect, some files had multiple pages of records and follow-up. Not all files related to adult patients. DataBreaches.net noted a detailed report on a named child in a pediatric ICU unit due to a serious condition he had been born with. Saudi Arabia does not seem to have a clear data protection regime of regulations, but there does seem to be a duty to protect patient information. GlobeMed did not answer this site’s question about whether it would be notifying patients or how it is responding to this incident. As noted above, Xing Team dumped what they claimed was half of what they had exfiltrated. It remains to be seen if they dump more, and if so, what it contains. There have been more than 101,000 views of the listing, but there is no statistic on how many people may have downloaded data. OSF Healthcare According to its web site, OSF HealthCare is an integrated health system owned and operated by The Sisters of the Third Order of St. Francis, headquartered in Peoria, Illinois. They employ more than 23,000 Mission Partners in more than 350 locations, including 14 hospitals, 30 urgent care locations, and two colleges of nursing throughout Illinois and Michigan. On June 3, Xing published all the data they claimed to have exfiltrated — 112 GB — allegedly because the Company refused to cooperate and participants post all data here. You can get all! Emails, phones, staff data, patients information, contracts, finance information, pictures – all is available! Inspection of the data dump revealed a mix of what appeared to be thousands of actual patient files and some test files or dummy data. One folder, called “PDF” contained almost 4,700 pdf files on patients seen at the Family Health Center. These files included ultrasounds and other maternity-related records. While there are almost 4,700 files in just that one folder, that does not represent unique patients as each named patient had numerous files. Unfortunately, even the filenames apparently revealed ePHI by incorporating patient names and type of test or record. Another folder, called PFT, contained records from St. Paul Medical Center that appeared to relate to pulmonary testing on patients. A third folder, “png’s” had more than 516,000 image files going back to 2017, sorted by month. The images were of records such as explanation of benefits statements or other patient-related files. DataBreaches.net does not know how many unique patients may be represented in that folder, but it appears OSF Healthcare may have a significant number of patients to notify about this breach. OSF Healthcare did not respond to an email inquiry sent to it on May 20, nor to a second request sent last night. Coastal Family Health Center Coastal Family Health Center is in Mississippi. Xing added them to their leak site on May 24, claiming “Company refuses to cooperate and fix a reasons of leak. That’s why we were forced to publish all information we have.” “All information” appears to amount to 506 GB of data. There are numerous types of files in the dump. Some are more routine business-related files, but many do have personally identifiable information including housing and financial information or protected health information such as appointment records, medical histories, insurance-related information, and lab results. A number of the files concern patients with AIDS or who are HIV+. Another folder includes more than 900 photocopies of driver’s licenses, and yet other files relate to an arrangement between Coastal Health and a public school district to provide sports team screenings, etc. Yet another folder, “Docs,” contains an assortment of files, most of them with personal information on patients such as their eligibility for Coastal Family Health Center’s healthcare services for homeless people. Those forms may include financial/income verification or other forms of verification. A number of files seen by DataBreaches.net concern patients seen in April of 2021 and the first part of May, 2021. Comments: As of the time of this publication, none of the three entities has  replied to inquiries from DataBreaches.net, and this site has not found any press releases or web site notifications concerning these breaches (although it is actually early days for data first hacked in May and dumped a week or so ago). Xing Team is a relatively new presence in the ransomware scene. DataBreaches.net does not know much about these threat actors at this point, and has sent them an inquiry asking whether they have any exclusions in terms of who they will not attack. ForDataBreaches.netRead More