U.S. medical entities fall prey to Pysa threat actors, but many haven’t disclosed it – at least, not yet.

—– A DataBreaches.net report by Dissent and Chum1ng0 —– Since 2018, threat actors known as “Pysa” (for “Protect Your System Amigo”) have used mespinoza ransomware to lock up victims’  files after exfiltrating a copy of them. In early 2020, alerts about these “big-game hunters” were published by both the FBI and CNIL . Since then, Pysa has continued to pose a threat to the medical and education sectors.  Like a number of other ransomware-as-a-service (RaaS) groups, Pysa maintains a dedicated leak site on the dark web where they list victims who do not pay their ransom demands and then dump their data. They call them “partners.”  In the first part of this 2-part series, we looked into 11 attacks listed on their site involving U.S. entities that would be covered by HIPAA or that collect health or patient information without necessarily being covered by HIPAA.  In Part 2 of this series, we will look at attacks on k-12 districts in the U.S. Overview Of the 11 entities discussed in this first report, three disclosed the attacks and also reported them to the U.S. Department of Health & Human Services (HHS). In the eight other cases, we were either unable to get confirmation that the incident involved medical or health data (three cases) or we found clear evidence of protected health or medical information but no disclosure by the entity, no notice on any web site, and no report to regulators (five cases). Three Incidents Reported to HHS Three  of Pysa’s medical sector victims did report the attacks to HHS, to patients who were impacted, and to the public: Assured Imaging was added to Pysa’s site on September 13, 2020 after the mobile digital mammography firm did not pay ransom after a May attack. The data dump was uploaded to Mega.nz, who removed it for violation of their terms of service. Assured Imaging reported the breach to HHS as impacting 244,813 patients and posted a notice on their web site in August, 2020. According to the notice, which has since been removed, the types of patient information compromised included full name, address, date of birth, patient ID, facility, treating clinician, medical history, service performed, and assessment of the service performed, including any recommendations on future testing. In May, 2021, Assured Imaging got some good news when a court dismissed a potential class action lawsuit against them, finding that the plaintiffs hadn’t demonstrated any injury in fact or any evidence of a “certainly impending injury.” Piedmont Orthopedics / OrthoAtlanta was added to Pysa’s site on August 6, 2020. In September, 2020, OrthoAtlanta notified HHS and the public that 5,600 patients were impacted. They also posted a notice on their web site . Pysa uploaded copies of the exfiltrated data to file-sharing site Mega.nz, who removed it for violation of their terms of service, but OrthoAtlanta’s notice claimed that the patient data included a variation of patient names and addresses, birthdates, phone numbers, medical or health insurance information and social security numbers. LifeBridge Community Gastroenterology, LLC dba Woodholme Gastroenterology Associates was added to Pysa’s site with a date of February 1, 2021. In April, they notified HHS that 50,000 patients were impacted by an incident. According to the notice to patients on their web site, the data was exfiltrated on February 25. Inspection of the Pysa’s data dump reveals that the threat actors exfiltrated both employee and patient data.  According to Woodholme’s statement, the patient data involved the following data types:  patients’ names, addresses, email addresses, dates of birth, patient identification numbers, diagnoses and/or treatment information may have been contained in the files. In limited instances, the files also included patients’ Social Security numbers, driver’s license numbers, and/or health insurance information. But while Woodholme  informed patients that data was exfiltrated, they also wrote, “ We have no indication any patient information has been misused.” The notice did not tell those impacted that their protected health information was dumped on the dark web for people to freely download. We know there is no legal requirement to tell patients that their data has been dumped on the internet, but we think patients should be told so that they can better gauge their risk and take steps to protect themselves.  Three Incidents — Were There Medical Records? In three cases, we were unable to confirm the breach of any patient protected health information (ePHI) or health data. In two cases, Pysa’s proof did not completely download correctly and the entities never responded to our inquiries: Children’s Network of Southwest Florida; and Drug Alcohol Testing and Screening Compliance . The Children’s Network is an agency involved in foster placements and we could not determine whether any of the exfiltrated files contained health data on the children although it seemed clear that personal information on parents and children were involved. They did not respond to multiple inquiries sent to them in June and July. The data for the Drug Alcohol entity included a lot of business files and some files that seemed likely to contain personal information – but was any of it patient information? Email inquiries to both DATCS and the threat actors did not result in responses by publication time. Upstate Home Care was also listed as a victim. In Upstate’s case, we were able to inspect the proof of claim data, but it did not appear to contain any significant patient data and appeared to be corporate and employee data.  Upstate was contacted via their web site to inquire whether any patient data was involved, but no reply was received by time of this publication. Five Incidents That Involved Patient Data But Weren’t Reported? Disclaimer: We did not find any evidence that any of the five incidents in this section were reported to HHS or to patients, but that does not mean that they were not disclosed somehow or that the five entities have violated HIPAA or any laws. As is too often the case, the entities did not respond to inquiries. Bolton Street Pediatrics (Marlborough,DataBreaches.netRead More