Although some threat groups or affiliates have sworn off attacking the medical sector with ransomware, not all have. On Sunday evening, June 2, Special Health Resources (“SHR”) posted a notice on their Facebook account:
We are currently experiencing technical difficulties and on Monday, our health centers will only see patients who are actively sick. All other routine and non-urgent appointments will be rescheduled.
We apologize for any inconvenience.
As of publication, alerts on their website indicate that the “technical difficulties” have not been resolved:
We are currently experiencing technical difficulties that have caused a temporary disruption to our systems. We apologize for the inconvenience. Resolving this issue is our top priority.
Most clinics are open and are able to see established patients as walk-in visits, including prescription refills. Dental services are temporarily unavailable. If you are unable to reach us via phone, you can also communicate via Facebook messenger on your health center’s Facebook page. We are working on alternative ways to communicate.
Some clinics more impacted than others
SHR has multiple locations in East Texas and Southwest Arkansas. A notice on their site described the status of different clinics:
Jacksonville Care Clinic is temporarily closed due to technical difficulties and are not seeing patients at this time.
Tyler Care Clinic – Troup Hwy. (behavioral health patients only), Tyler Care Clinic- Midtown, Jim Meyer Comprehensive Health Center, Pediatric Clinic of Paris, Paris Care Clinic and Texarkana Care Clinic – 6th St. are currently only seeing established patients as walk-in visits. Woman & Child Health Center of Longview is also seeing established patients as walk-in visits until 2 p.m. Dental services are not available.
The above schedule is in place for Monday, June 10.
We apologize for any inconvenience. Staff will contact patients to reschedule appointments.
The “technical difficulties” are from ransomware
On June 8, DataBreaches learned that SHR had been attacked by BlackSuit. A spokesperson for the ransomware gang provided this site with a link to a non-public message on their leak site that indicated that they had not heard from SHR in response to the attack.
“It is up to you of course whether to negotiate or not, but our experience says that remaining silent is the worst option for you,” they wrote to SHR.
BlackSuit also provided this site with a file tree showing the directory and files they claim to have acquired. The file tree consisted of 18,829 directories with 253,671 files. Some of the files appeared to be internal company files, including files with some employee data. Other files, including .dcm files, likely contain protected health information of patients. Without the actual files, DataBreaches could not attempt to validate or verify the authenticity of any claims, but a Google search of what appeared to be patient names did find people with those names in locations where SHR has clinics. That in combination with SHR’s website status and file tree provide some support for BlackSuit’s claims.
Has SHR made any recovery progress?
As of publication, SHR does not seem to have established alternative ways to communicate. Attempts to reach SHR administration by phone on Saturday and every day since then have only reached after-hours nursing care to leave messages. Attempts to email executives continue to bounce back as “user unknown” every day. Their Facebook account has not updated their operational status since their June 2 post.
SHR’s alert today about which clinics are open is almost the same as last week when DataBreaches first checked their site except that Texarkana Care Clinic – 6th St. was listed as closed last week and is now listed as open, but only to seeing established patients as walk-ins.
SHR does not provide an estimate of when normal services will be restored or when they will be able to see new patients. Do they even have access to all of their established patients’ medical and billing records? Without being able to reach them to inquire, it is impossible to know for sure.
As of publication, BlackSuit’s countdown clock for SHR has run down. A spokesperson for the group informs DataBreaches that SHR will be added to their leak site tomorrow.
A ransomware attack is very heart touching movement for a website owner