Leon Medical Centers (LMC) in Florida has issued a press release about the ransomware attack it experienced, and that DataBreaches.net has reported previously. In our most recent report, we noted that Conti threat actors had dumped protected health information for numerous patients, while claiming that they still had more files from Leon that they would dump. It is not clear if the remaining 20% that they claim to have are patient-related, employee-related or organizational files without any personal information.
LMC writes:
DORAL, Fla. Jan. 8, 2021 /PRNewswire/ — Leon Medical Centers, LLC (“Leon Medical”) today announced that a recent event may have impacted the security of personal information relating to certain residents of Florida. While Leon Medical is still in the process of identifying impacted individuals and preparing direct written notification letters regarding the incident to them as soon as possible, we are now providing information to the media about the event and steps individuals may take to better protect against the possibility of identity theft and fraud, should they feel it is necessary to do so.
What Happened? On November 8, 2020, Leon Medical learned that it was the target of a cybercriminal attack and that portions of our computer network were infected with malware. We immediately took systems offline and, with the help of cybersecurity professionals, launched an investigation into the nature and scope of the incident. On November 9, 2020, we received confirmation that certain files stored within Leon Medical’s environment that contain personal information had been accessed by the cybercriminals.
What Information Was Involved? Leon Medical determined that the type of information potentially impacted may vary significantly by individual and that the following types of information may be impacted: name, contact information, Social Security number, financial information, date of birth, family information, medical record number, Medicaid number, prescription information, medical and/or clinical information including diagnosis and treatment history, and health insurance information.
What Leon Medical is Doing. Leon Medical takes the privacy and security of sensitive information within its care very seriously. In response to this incident, Leon Medical took immediate steps to identify the issues that allowed unauthorized access to its databases to occur and is working hard to address them. Leon Medical is still in the process of a thorough review to identify all individuals whose information was impacted by this incident and will be providing written notice as soon as possible to individuals that Leon Medical determines have been impacted by this incident.
At this time, Leon Medical has already notified the U.S. Department of Health and Human Services (HHS), the Attorney General, the Federal Bureau of Investigation, and prominent news media outlets throughout the State of Florida. Leon Medical may continue to notify other appropriate authorities as it learns more.
What Potentially Affected Individuals Can Do? Individuals who believe they may be impacted by this incident can call the dedicated confidential assistance line detailed below or find out more about how to protect against potential identity theft and fraud in the below section Steps You Can Take to Prevent Fraud and Identity Theft.
For More Information. If you believe you may have been impacted by this incident and have questions, please call Leon Medical’s dedicated assistance line at 855-914-4725 between the hours of 9am– 9pm ET.
You can read the full press release here.
Does anyone notice what is missing from the notice? They do not mention that the patient data was dumped and is freely available on clearnet and on the dark web. While they may not want to point people at freely available personal and sensitive information, will people take their notice seriously enough if they have not been told, “Hey, your information is out there for everyone in the world to copy, so you are at serious risk of people attempting to misuse your information — get busy protecting yourself!”
Yes, I can think of a million reasons why an entity doesn’t want to say that. But there is one overriding reason why they should — the purpose of notification is part of mitigation — to reduce harm to individual and if they don’t protect themselves, their risk of harm is greater.