On November 9, DataBreaches.net posted a commentary calling for patients to be notified sooner when their data had been stolen and dumped by ransomware threat actors. In the companion article to that post, Without Undue Delay, specific victims were listed with comments as to whether they had notified patients or not.
One of those victims who had not yet notified patients was Riverside Community Care. In that article, DataBreaches.net reported that Riverside Community Care had been added to Conti threat actors’ leak site on October 21, 2020, and that
Conti posted a few files as proof — one contained the names, home addresses, and cellphone numbers of staff. Another contained a discharge summary with medications on a patient. Another contained home health care plan for a named patient that has all his details including a diagnosis of schizophrenia.
DataBreaches.net sent Riverside an email inquiry with specific details on October 21. They did not respond at all and there is nothing on their web site as of today to warn people that their personal and possibly sensitive information is in the hands of criminals.
DataBreaches.net found that RCC subsequently did report an incident to the Massachusetts Attorney General’s Office on November 18, but it appeared that RCC claimed (only) 2 Massachusetts residents were affected, which did not seem likely for this ransomware attack. DataBreaches.net wrote to Riverside Community Care again to ask them to clarify the incident, but again, received no response. The November notification to Massachusetts, subsequently obtained by DataBreaches.net, seemed to be addressed to people — employees, perhaps? — whose name, SSN, and driver’s license number were involved in an incident.
On December 3, Conti threat actors added even more files with RCC employee and patient/client personal and protected information to their dark web and clearnet leak sites.
By now, there have been more than 8,000 accesses to that page, and there’s no telling how many people may have actually scraped or downloaded files with protected health information. But these files contained a lot of sensitive information, such as a 10-page file on a named patient that contains his medical history, date of birth, address, and other issues that led to his appointment.
On December 21, Riverside posted a notice on their web site. The notice indicated that Riverside still hadn’t notified patients although they would be sending out letters. Riverside’s notification reads:
Riverside Community Care, Inc. is committed to protecting the confidentiality and security of our clients’ information. This notice describes a data security incident that may have involved information for some of our clients.
On October 23, 2020, Riverside determined that an unauthorized party gained access to files containing information for some clients. The unauthorized access resulted from a data security incident that we first identified on October 17, 2020, which disrupted the operations of our IT systems.
Upon learning of the data security incident, Riverside immediately took steps to secure our systems, notified law enforcement, and launched an investigation. Riverside’s investigation confirmed that this incident did not involve unauthorized access to its Electronic Health Record or billing systems.
Through our investigation, we determined that an unauthorized party may have accessed our IT systems between the dates of October 15, 2020, and October 17, 2020. During that time, the unauthorized party may have accessed files on some systems containing some client information, including client names in combination with dates of birth, health insurance plan information, dates of service, provider names, clinical information, and affiliation with Riverside as a client. In some very limited instances, some client Social Security numbers may have been subject to unauthorized access as a result of the incident. Riverside will mail letters to individuals whose information may have been involved in the incident. In addition to mailing letters, we have established a dedicated, toll-free call center to answer questions that clients may have. If you have questions, please call 800-847-2562, Monday through Friday, between 8:00 a.m. and 5:00 p.m., Eastern Time, excluding major U.S. holidays.
We recommend that clients whose information may have been involved in this incident review the statements they receive from their health care providers and health insurance plan. If they see services they did not receive, clients should contact the provider or health insurer immediately.
We deeply regret any inconvenience or concern this may cause you. To help prevent something like this from happening again, we have implemented enhanced, continuous monitoring and alerting software on our IT systems.
“May have, may have, may have”…..
Notice that their web site notification does not make explicitly clear that some client data has already been made publicly and freely available on dark web and clearnet leak sites. Does their letter to clients tell them that their data is now exposed on the web for anyone who wants to read it or grab it?
As this site has argued in the past, the 60-day provision in HIPAA about notification does NOT protect patients adequately as we know that patient data was in criminal hands for more than two months at that point, and some of it was already dumped publicly.
DataBreaches.net believes that at the very least, Riverside should have promptly notified people whose PII and PHI were on the public leak sites in October and early December. Maybe RCC didn’t know everyone whose data had been accessed or exfiltrated, but they certainly had proof for those clients, so why weren’t they given an early alert to protect themselves? And why does their notification say “may have” instead of being clear that there is hard proof that it HAS happened in at least some cases?
Of continuing concern: Conti threat actors did not indicate that their December 3 dump was now a full dump. It is quite likely, or at least possible, that they are still sitting on other files from Riverside Community Care, or may be misusing or sharing the data in spaces that DataBreaches.net does not have access to.