On February 15, yours truly created an entry in the worksheet I maintain for tabulating U.S. incidents involving health data or protected health information. The entry listed “Capital Medical Center” in Washington as the breached entity, the date of disclosure as February 15, 2021, and the type of incident as a claimed ransomware attack by Avaddon threat actors. There was nothing on Capital Medical Center’s web site mentioning any breach, and there was nothing on the state’s public list of breach reports received. Nor was there any report on HHS’s public breach tool. The only indication of any incident was that on or about February 15, Avaddon had added them to the dedicated leak site they use to pressure victims into paying. And as part of their pressure, Avaddon had uploaded a number of files containing personal and protected health information on named patients.
And so DataBreaches.net waited to see when some notification by Capital Medical Center would show up — either on their site, or in a press release or media notice, or on the state’s breach list, or on HHS’s public breach tool.
But it didn’t show up anywhere.
Avaddon likely gave up on trying to extort them as they dumped almost 30 GB of files and moved their name to the “Full Dumps” list from the “New Companies” (active) list.
And still there was no notification posted anywhere, so DataBreaches.net started investigating. And the first thing this blogger learned was that Capital Medical Center had been absorbed by MultiCare. In response to my inquiries, Multicare responded on April 23rd with the following statement:
MultiCare Capital Medical Center has always held protecting the security and confidentiality of private information as a top priority. It’s important to understand that when we knew about this potential situation in February, we immediately conducted a full investigation and determined that we were not impacted by this ransomware attack in any capacity.
And when DataBreaches.net examined the data dump, it became clear that while some of the files in the sample POC had mentioned “Capital Medical Center,” other files in the sample, and most of the files in the dump linked to Dustan C. Osborn MD, PhD, his associate, Marles Geist MSN, ARNP, and/or to Osborn Cancer Care (OCC).
OCC has one office in Chehalis, WA, and its second location is in Olympia, WA at 3920 Capital Mall Dr. Ste 100. MultiCare Capital Medical Center is at 3900 Capital Mall Dr. In December, MultiCare had signed an agreement to acquire ownership interest in Capital Medical Center. And on April 1, 2021, Capital Medical Center in Olympia became part of MultiCare Health System. Dr. Osborn is also affiliated with MultiCare Capital Medical Center.
So Dr. Osborn is linked to Osborn Cancer Care and Capital Medical Center, but the ransomware attack was not on Capital Medical Center but appears to have been on Osborn Cancer Care. Avaddon threat actors seem to have erred in their identification of their victim. It would not be surprising if they also tried to extort the wrong entity.
In any event, Avaddon’s data dump contained more than 85,000 files with unencrypted ePHI on patients as well as personal information of employees. Many of the files are scanned pdf files with patients’ names, lab or clinical reports, or other types of medically related records. Some files pre-date 2015, but the bulk begin in 2015. The most recent patient-related file observed in the dump was dated January 26, 2021, suggesting that the threat actors exfiltrated data on or about that date.
Even the directory of filenames reveals ePHI as many of the files incorporated the patients’ names as part of the filenames.
DataBreaches.net did not attempt to analyze the data to determine how many unique patients are impacted by this breach, but notes that the files included patient files, employee files, and xml files.
DataBreaches.net reached out to Osborn Cancer Care three times beginning last week: twice via contact form on their web site and once via phone, leaving a detailed voicemail. They have not responded at all. If Osborn Cancer Care is not the source of the breached files with ePHI (although it appears that they are), then DataBreaches.net will update and correct this post.
If they are the source, then DataBreaches.net hopes that they have notified patients whose personal and medical information has been freely available on the dark web for all to take and misuse. But it is now more than two months since DataBreaches.net — and apparently MultiCare — became aware of this breach. DataBreaches.net asked MultiCare if they ever contacted Dr. Osborn and/or Osborn Cancer Care after investigating the breach allegation to alert them to do their own investigation. This site has gotten no response to that question yet. If MultiCare contacted Dr. Osborn or OCC in February, then that is even more evidence of “discovery” that should have started a notification clock under HIPAA and HITECH. But if OCC is the source, why did their security controls not detect almost 30 GB of data being exfiltrated? Were their files encrypted by Avaddon, as Avaddon claimed? If so, wouldn’t they have detected that?
What is going on here?
Earlier today, DataBreaches.net reached out to the State of Washington to inquire whether any report had been filed with them and to suggest that they open an investigation if none has been filed.
DataBreaches.net will continue to follow this incident and to monitor OCC’s site, the State of Washington’s breach list, and HHS’s public breach tool.