Hive ransomware gang has added another healthcare-related victim to its leak site. This time, the victim is Consulate Health Care (CHC), a chain of service providers with a troubled financial history.
Enter Hive, Stage Left
Hive’s listing for CHC indicates that they locked CHC’s files on December 3.
Hive has already leaked some of what does appear to be CHC’s data. The ransomware group claims to have acquired:
– contracts, nda and other agreements documents – company private info (budgets, plans, evaluations, revenue cycle, investors relation, company structure, etc.) – employees info (social security numbers, emails, addresses, phone numbers, photos, insurances info, payments, etc.) – customers info (medical records, credit cards, emails, social security numbers, phone numbers, insurances, etc
Not all of those data types could be confirmed in the partial data leak, but it is clear that Hive did acquire a lot of data.
CHC’s Notice of Incident
Before any disclosure by Hive, DataBreaches learned that they would be leaking CHC data because CHC had ended negotiations after several weeks. Their representative indicated that they could not afford even the reduced amount demanded because their insurance would not cover any ransom payment.
Checking CHC’s website yesterday, DataBreaches was surprised that CHC had already disclosed the breach. But their description of the incident did not match what a spokesperson for Hive had informed DataBreaches.
Specifically, CHC’s notice of incident repeatedly refers to the incident as involving a vendor, e.g. (emphasis added):
One of our vendors recently suffered a security incident in early December where cybercriminals targeted portions of their network.
Our vendor promptly began working with third-party experts to help them investigate and respond to the incident. During that investigation, the vendor became aware that the unauthorized third party may have accessed records with personal information.
Although our vendor is still investigating the scope of that access….
The problem is that Hive’s spokesperson was quite definite that they did not attack any CHC vendor but had attacked CHC directly.
CHC’s notice refers to an early December incident, which is consistent with Hive’s December 3 lock date, so CHC’s notice is likely referring to the Hive attack. But why is CHC claiming the attack was on an unnamed vendor?
DataBreaches submitted two contact queries to CHC yesterday, asking them to respond to Hive’s claim that this was not a vendor attack, and requesting additional details, but has received no reply from CHC.
CHC’s Recent History of Bankruptcy
Hive’s listing states that CHC’s revenue is “1000 million.” Zoominfo.com does list CHC’s revenue as $1B, which may sound tempting, but CHC actually has a troubled financial history. Its history for more than a decade has resulted in so much bad press and litigation that it seems to have engaged in some complex rebranding and dividing up of corporations to distance itself from… itself.
CHC’s financial troubles began in 2011. A former nurse had turned whistleblower and had accused the owners of two skilled nursing homes of defrauding taxpayers by overcharging Medicaid and Medicare for rehabilitation services. CHC inherited the False Claims Act litigation in 2012.
In 2017, a civil jury agreed with the claims and penalized CHC more than $115 million, which was later reduced to $85 million. After trebling and penalties, though, the reduced judgment still amounted to $256 million. It was a considerable amount, but still lower than the original $347.9 million verdict after trebling.
In March 2021, CHC filed for Chapter 11 bankruptcy, claiming it did not have the resources to pay the False Claims judgment. A settlement of the bankruptcy case reduced the amount to $4.5 million, split between the government and the whistleblower. The settlement was approved in September.
So against the backdrop of what it had gone through, now CHC was faced with a ransom demand. They didn’t pay it but have issued a statement that claims the breach was not theirs, but a vendor’s?
DataBreaches will update this if a reply is received or more information becomes available.