Attacks on hospitals by ransomware threat actors continue to make headlines, as do attempts to hack laboratories or entities involved in COVID-19 related research. Attacks on diagnostic laboratories without an obvious COVID-19 connection tend to garner fewer headlines but should be of no less concern, as the ability to diagnose health conditions correctly is a precursor to treatment.
This week, DataBreaches.net reached out to two diagnostic labs that have apparently been the victims of ransomware attacks. Neither of these labs are big corporations or chains like LabCorp or Quest. One is located in Virginia and the other has locations in New York and south Florida.
Taylor Made Diagnostics (TMD)
Founded in 1995 by Carolyn Taylor, a registered nurse, Taylor Made Diagnostics in Newport News operates and manages occupational health clinics in the Hampton Roads, Virginia area. As an occupational health service, they provide services including drug testing, CPR training, fit for duty evaluations, vaccinations and respirator fit testing.
Their founder and clinic have won a number of awards and as recently as July 2020, Carolyn Taylor was recognized as the 2020 Hampton Roads Chamber Entrepreneur Award Winner. But now Conti threat actors have created what may be massive privacy breach problems for TMD.
TMD did not respond to multiple inquiries sent to it about Conti’s claims and proffer of proof, but it’s likely from the files the threat actors did upload that a lot of protected health information may have been accessed and exfiltrated. More than a dozen files reveal personal and medical information on employees of their clients or people referred for evaluations for fitness for duty by applicants to Coast Guard and the like. Names, addresses, dates of birth, phone numbers, last four digits of SSN (and in some cases, full SSN), images of driver’s licenses, details of medical histories, and lab results and evaluation data are all there… unencrypted. Some of the files are 20-30 pages of forms and protected health information.
The data that were dumped are not in the kind of convenient tables or spreadsheets that lend themselves to easy misuse, but these files were presumably picked to motivate TMD into negotiating with the threat actors. Then, too, even just the list of files is somewhat problematic because the filename structure contains the patients’ last name, first name or initial, and DOB.
If TMD responds to the multiple inquiries sent to it, this post will be updated.
Apex Laboratory Inc.
Apex Laboratory, Inc. provides diagnostic testing services in its offices in New York and south Florida. The firm, which is headquartered on Long Island, also provides in-home (mobile) or on-site testing for patients in nursing homes or other facilities or who cannot get to their laboratory locations.
Apex was attacked by DoppelPaymer. And as those threat actors have done many times before, they didn’t hold back in dumping proof of attack and acquisition of files with personal and medical information. Some of the files the attackers dumped on December 14 contain specific laboratory test results and diagnostic information, but a bigger problem may be the rosters with patient names and PHI fields like date of birth, SSN, Medicare Number, Medicaid Number, date of admission to a facility, date of discharge, and in some cases, gender, marital status, religion, and other insurance information.
The rosters, which appear to be from more than a dozen facilities on Long Island, are not current, but contain well over 1,000 patients’ personal and protected health information — data that can be used for identity theft or social engineering, particularly if we are talking about an older population who might be in a nursing home.
Not all of Apex’s files dumped by DoppelPaymer are patient records or rosters. Some of the files are routine business files, but even those can be embarrassing for a firm.
Apex did not respond to an inquiry this site sent. If it responds, this post will be updated.
As this site has done with other ransomware attacks on U.S. healthcare entities, this site will continue to monitor leak sites to see if there are updates or if the listings disappear.
As this blogger and site have advocated before: victims need to notify patients quickly if their data has been dumped by threat actors. At least post something to alert people that an attack is being investigated and that patients should be vigilant. Or contact your clients and let them know their patients’ data may have been compromised.