DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: Nocona General Hospital “recently” learned of a breach we reported in early February

Posted on May 20, 2021 by Dissent

On February 4, DataBreaches.net reached out to Nocona General Hospital (NGH) in Texas about an attack claimed by Conti threat actors the previous day. The hospital did not respond.  On February 7, this site emailed NGH, writing, in part,  “I see that Conti threat actors have dumped files that they claimed they copied and stole from your system when they attacked you with ransomware. As proof of their claims, they dumped a number of files from 2018.”  Nocona was again asked to confirm whether or not they had been attacked. Once again, they did not reply, but on February 9, Texas media reported that the hospital’s external counsel, Brian Jackson, stated that the hospital had found no evidence of a breach of the hospital’s main patient database.

Jackson said the files accessed by potential overseas hackers were apart of patient transfer files and the amount remains unclear at the time.

Jackson also reportedly told media that the hospital was not a victim of a ransomware attack. His statements were intended to be reassuring, and maybe they were to those who weren’t looking at the proof of claims, but it seemed clear that at least some patient files had been taken from NGH.

On February 10, DataBreaches.net tried again, via email, writing, in part:

Conti threat actors have now dumped more than 1,700 files that they claim they exfiltrate from your server(s). 1. Are you (still) claiming that there was no ransomware or that nothing was locked up? 2. Are you still claiming that there was no ransom demand? 3. Are you notifying HHS/OCR of this breach?

Jackson called DataBreaches.net in response, and as this site reported later that day:

He did not have a lot of information to share at this point, but stated that they believed that the threat actors had not been able to access the EMR system, and that what they had accessed appeared to be an older server that held files relating to the transfer of patients. He reiterated what he had told NBC News — that they had not seen any ransom demand — but acknowledged that there might have been one and they just didn’t read it. They received no phone call demands, he stated.

After looking through more of the data dump, they do not appear to me to be from a folder that would relate to the transfer of patients to other hospitals or facilities, and it’s not clear why there would be files from 2010 in with files from 2018 and even early 2020. At some point, forensics will probably be able to clarify exactly where these files came from on their system.

Was Nocona even actually attacked with ransomware? When Jackson was asked whether the files were locked, he responded that they had been, but then it turned out he meant that the files had been secured before the attack. When the question was clarified for him, he responded that he believes that they were attacked with ransomware, but it clearly was not an answer said with any confidence. He also stated, in answer to another question, that the hospital’s consultants believe that they have kicked the attackers out of their network.

There was nothing further after that date. Conti threat actors did not add any more files to the data dump of 1793 files that have been available online on both clear net sites and the dark web since February 10. Of note, Conti has not indicated that they have dumped 100% of all files they acquired, which they often do when they claim they have dumped everything. A counter on their site indicates that there have been more than 38,000 views of their entry on Nicona with the list of downloadable files.

It is not clear how many actual downloads of the data occurred, but the data are still available and will likely remain available until either the threat actors remove the listing or someone takes their whole server down.

On May 5, three months after data were first posted on Conti’s dedicated leak site, NGH notified HHS and issued a statement on its site.

The statement begins

Nocona General Hospital recently learned of a criminal cyber attack which enabled hackers to access certain file folders on its computer network. Upon learning of this incident, Nocona General Hospital immediately launched an investigation to more clearly understand its scope. Because the hackers gained access to Nocona General Hospital’s network, the hackers are believed to have accessed information in certain folders which may have included names, gender, ages, dates of birth, addresses, Social Security numbers, diagnosis information, procedure descriptions, or procedure codes.

No, it didn’t “recently” become aware. It became aware 3 months earlier.

You can read the full notification, embedded below, but DataBreaches.net would call attention to the fact that nowhere does Nocona reveal that patient-related files have been made freely and publicly available.

“The hackers are believed to have accessed information in certain folders,” they write, but  Nocona knows that specific files were accessed and exfiltrated, even if it is not sure what folders were accessed. Why doesn’t it just bluntly tell its patients the unvarnished truth?

According to its notification to HHS 3,254 patients were impacted. Letters were reportedly sent to them on April 30. For many of them, their protected health information may still be freely available on the internet, but they will have no idea of that.

NGH-Data-Breach-Press-Release
Category: Breach IncidentsHealth DataMalware

Post navigation

← Data of 100+ million Android users exposed via misconfigured cloud services
Update:  Rehoboth Mckinley Christian Health Care Services notified 209,000 patients of February ransomware incident →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.