DataBreaches would have passed over a listing on LockBit3.0’s site if Brett Callow hadn’t kindly called our attention to it. The listing by the threat actors was for HSKS Greenhalgh Chartered Accountants and Business Advisors, and LockBit claimed to have exfiltrated 168 GB of files with:
Employees (NIN numbers, passport scans, ID scans, Employee forms with personal data, residential address, telephone, DOB, tax forms with personal data P60, P45, contracts and much more)
financial documents (balance sheet, budget, tax forms, various financial statements, audits, transactions, etc.)
Client databases, contracts, client working documents (corporate finances, audits, tax forms, employee information, court records, mail correspondence, USA patient database with personal data (Full name, DOB, ssn, address, telephone and other documents)
Various corporate documents marked confidential, audits, Board Minutes, marketing, analytics, various sage databases
“USA patient database” ??
When LockBit subsequently leaked the data, DataBreaches examined several files where the filenames included “patient.” One of them was a .csv file with with patients’ first and last names, postal addresses with state and zip code, phone number, and SSN. There were no diagnoses or treatment information, just demographic information and SSN. Other files appeared to involve the same patients. Some also had health insurance information and date of birth. One file had more than 1 million rows, although not necessarily 1 million unique patients.
Almost all of the patient addresses were in Mississippi, but were the data real patient data or test data?
Conducting a google search for some individuals’ names +Mississippi, DataBreaches found listings in WhitePages that matched the names and cities in Mississippi. Attempting to validate a sample of SSNs in one of the files that did not contain date of birth returned results that they were all valid SSNs, although the state in which the SSNs were issued often did not match the patient being in Mississippi (but of course, people may have moved over their lifespan and many of these patients were elderly). Based on the sampling results, then, these appeared to be real patients’ data.
But whose data was it originally? Nothing in the .csv fields or file metadata indicated the data’s U.S. source.
DataBreaches sent an inquiry to HSKSG asking for clarification on how a patient contact database with U.S. patient information wound up on their server. The inquiry asked, in part:
And because it’s somewhat unusual, can you explain to me why there is a large .csv file with patient data on American patients who appear to be mostly from Mississippi? How did a UK business acquire patient data from the U.S.? Did/do you have consent of American patients to transfer their data out of the U.S. to the UK? I appreciate client confidentiality, but what client gave you these data, and are they now notifying the U.S. Department of Health and Human Services of this breach or are you?
There are obviously so many questions raised by this situation apart from what DataBreaches posed to HSKSG, but we started with those.
DataBreaches received no reply from HSKSG after three days, but with some additional digging, DataBreaches identified a possible source of the data. DataBreaches is not naming the entity at this time in case we have erred, but DataBreaches sent an email to the U.S. entity explaining the situation (but not naming the U.K. firm) and providing the U.S. entity with a small sample of patient names. DataBreaches asked them to check their current and past records to see if those names were the names of past or current patients and to respond within 48 hours.
They did not reply.
DataBreaches has sent a second inquiry to HSKSG. If there is still no reply from HSKSG or the entity in the U.S., DataBreaches will contact the FBI and suggest they get answers so that someone takes responsibility for notifying these patients of the need to protect themselves and will also contact the Information Commissioner’s Office to ask them some questions.