DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

“Without Undue Delay, Part 1:” Update on earlier ransomware cases

Posted on January 5, 2021 by Dissent

In November, DataBreaches.net published a commentary arguing that patients need to be notified sooner of ransomware dumps even if HIPAA would seem to allow up to 60 days. As a companion to that piece, this site looked at 30 claimed ransomware attacks on U.S. healthcare entities that had been revealed on dedicated leak sites by threat actors in 2020. Our analysis noted whether there had been any public disclosure by the victims,  if the incident had appeared on HHS’s public breach tool, and/or if there had been any publicly available state attorney general site.

What we found at the time was that only a minority of the 30 entities had issued any publicly available notice or information for patients that we could find. Many of the entities repeatedly ignored inquiries from this site asking whether patient data had actually been breached, and if so, whether patients or regulators had as yet been notified.

The 30 claimed attack victims discussed in the report are listed below. Those for whom we had found some type of notification are indicated in boldface in the table below:

  • Ventura Orthopedics 1
  • Adams County Memorial Hospital 2
  • Higginbotham Family Dental
  • New York Foundation for Senior Citizens
  • Family Health Centers Of Georgia Inc
  • Riverside Community Care Inc
  • Crossroads Technologies
  • Stockdale Radiology
  • Sunset Cardiology
  • Affordacare Urgent Care Clinic
  • Kristin Tarbet, M.D. 3
  • Maxwell Aesthetics
  • Medical Management, Inc.
  • United Memorial Medical Center
  • Abington Reproductive Medicine 4
  • North Shore Pain Management
  • Valley Health System
  • Beacon Health Solutions
  • North Shore Pain Management
  • Luxottica
  • University Hospital New Jersey (UHNJ)
  • Assured Imaging
  • Piedmont Orthopedics | OrthoAtlanta
  • Lorien Health Services
  • Olympia House
  • The Center for Fertility and Gynecology
  • Wilmington Surgical
  • Dyras Dental
  • Sonoma Valley Hospital
  • Med-Care Infusion Services, Inc. 2

1 Two different threat actors claimed to have attacked Ventura Orthopedics and dumped different data.  
2 The threat actors had not dumped any patient data so it was — and is — unclear whether the incident definitely involved PHI although there was some proof that the entity had been attacked. 
3 The original report may have erred in naming Tarbet, as it was later discovered that Amara Medical Aesthetics had posted a notice on its site on October 26 that seemed to relate to the breach identified as Kristin J. Tarbet, MD by Maze threat actors. Amara and Tarbet are associated entities. Did Maze identify the wrong victim or system? Perhaps. Tarbet never responded to inquiries and the Amara notice was more than five months after the first data dump with patient data. No report from Amara or Tarbet  appears on HHS’s public breach tool.  
4 The “proof” offered for this entity was not from that entity, and they never responded to inquiries as to whether they had been attacked.

Follow-Up

DataBreaches.net followed up on the incidents where we had not found any notifications or disclosures by the November 9th report.  In one case, we found that there was still no evidence of any hack provided by the attackers (the Abington claim by Maze). And in two other cases, there was still no evidence of any PHI dumped (Adams County Hospital and Med-Care Infusion), so we are not sure what the attackers actually accessed and exfiltrated.

Of 14 other follow-ups, six entities have since provided some notice or notification since our November 9 report:

  • Riverside Community Care Inc
  • University Hospital New Jersey (UHNJ)
  • Olympia House (Sonoma Recovery)
  • Sonoma Valley Hospital
  • Wilmington Surgical; and
  • Beacon Health Solutions

Three of the above six entities appear on HHS’s public breach tool at this time.

With that update, we now have (only) 18 of the original 30 that have sent notifications to regulators or publicly posted notifications that we could find, even though some of the entities were breached months ago. Did they notify patients and/or regulators, but not publish anything on their sites or to HHS?  We simply do not know what happened, if anything, and what they did in response because the entities have ignored inquiries.

What’s Next?

Keep in mind that these reports only address incidents claimed on leak sites. We often have no window into attacks by threat actors who do not maintain leak sites (such as Ryuk). As one consequence, some of the largest or most impactful attacks have never shown up at all on dedicated leak sites. The more successful threat actors are, the less likely we are to see any mention of victims on their site, but the entities are still required under HIPAA to notify HHS and patients of reportable breaches.

DataBreaches.net will continue to follow up on the incidents described in the first part. In some cases, watchdog complaints have already been filed with HHS to ask them to investigate whether breached entities have actually notified them or patients.

But the 30 incidents in the first report were not a complete listing of U.S. ransomware incidents potentially impacting patients that had been posted on ransomware leak sites in 2020. In Part 2 of “Without Undue Delay,” to be published this week, we will report on other ransomware attacks against medically-related U.S. entities that also appeared on dedicated leak sites in 2020 and whether they have been disclosed to patients or regulators.


Corrections and updates to this post can be sent to breaches[at]databreaches[dot]net.

Update 1:  Post-publication, this site was contacted about one of the as-yet-unreported incidents. As a result of that person’s keen eye and experience, DataBreaches.net has reached out to an entity who may be the actual victim of an attack attributed to a different victim name. This list may be updated when that entity responds to an inquiry DataBreaches.net sent to it today.

 

 

 

Category: Breach IncidentsCommentaries and AnalysesHealth DataHIPAAMalwareOf NoteU.S.

Post navigation

← Lizard Squad says it has nothing to do with Trump lawyer’s pedophilia claims
Belgian consultancy Finalyse emerges unscathed from ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.