On April 22, Pinnacle Orthopaedics & Sports Medicine Specialists LLC (“Pinnacle”) discovered that it had been the victim of a cyberattack. By April 29, it had identified less than ten patients who had been affected and promptly sent them notification letters. But that wasn’t the end of their investigation or problems.
By June 7, Pinnacle’s investigation determined that more than 500 patients had been affected. On June 21, they issued a press release and posted a notice on their site that they were still undertaking a detailed review and analysis to identify potentially impacted individuals and their contact information.
The types of information that may have been involved for patients included: provider name, date of birth, medical or health information, health care treatment or diagnostic information, health insurance information, or billing or payment information.
Pinnacle’s notice indicated that former and current employees and patients may have been affected, but it did not make clear whether this was a hack with exfiltration or if the attack also involved file encryption.
Importantly, Pinnacle’s substitute notice did not indicate that the threat actors responsible for the attack had already leaked data containing patient information on a dark web leak site.
Data Leaked
On May 2, INC Ransom claimed responsibility for the attack and posted 12 screencaps as proof of access and acquisition:
On May 20, they leaked data from Pinnacle.
Inspection of the data by DataBreaches found no evidence that any EMR system was involved, but what will likely be problematic for Pinnacle is the significant number of old files containing PHI. DataBreaches noted aging sheets for 2016-2019 in just one folder. Aging sheets contain patients’ names, their date of service, their health insurance info, the type of medical service they received on that date, and the amount still due on the account.
As an example of the extent of the problem, one aging file with more than 100 pages would contain more than 500 entries for patients. While some patients may be repeat patients, the fact that numerous years were involved means that the data breach team has a lot of files to go through, including manual inspection of files such as scanned medical records request letters sent by law firms requesting records for clients who had been in accidents or had worker compensation claims. DataBreaches noted many claims from the early 2000’s.
DataBreaches could not find any submission to HHS as of publication, but HHS does not always post submissions promptly. Pinnacle’s notification indicated that it has notified HHS. When HHS does post it, we may see a “marker” of 500 or 501 for the number affected.