On February 16, DataBreaches.net reported that Conti threat acctors had apparently attacked Rehoboth Mckinley Christian Health Care Services, Inc (RMCHCS) in New Mexico.
As it has done in similar attacks, the threat actors dumped a small sample of files as proof. The files include copies of handwritten injury reports and other reports related to named individuals’ care. The reports include demographic and protected health information. The sample also contains images of driver’s licenses and a Social Security card, a prescription, and a passport.
RMCHCS did not respond to an inquiry from DataBreaches.net about the claimed attack.
On March 3, Kevin Collier of NBC reported that no one had as yet been notified, despite the fact that sensitive files had been dumped with everything from job applications and background checks to staff injury reports.
Collier also noted what DataBreaches.net had observed — the listing for RMCHCS on Conti’s site appeared to have disappeared. Sometimes, listings disappear while the threat actors are updating them. Sometimes, listings disappear if the victim suddenly begins negotiations with the threat actors. Sometimes, listings disappear because the victim has paid the ransom demand.
On May 19, RMCHCS notified individuals of the breach and posted a notice on their web site. Their notice begins:
Rehoboth McKinley Christian Health Care Services (“RMCHCS”) learned on February 16, 2021 that certain patient information may have been removed from its computer network as a result of potential unauthorized activity that it had been investigating. RMCHCS promptly engaged a third-party forensic firm to further investigate the incident and assist with remediation efforts. RMCHCS’ investigation has found that an unauthorized party was able to access certain systems that contained patient information and remove some data between January 21 and February 5, 2021. As a result of its review, on April 30, 2021, RMCHCS was able to identify the individuals whose information may have been involved and is notifying them of the incident and providing them with information about steps they can take to protect themselves.
The patient information may have included: (1) information to identify and contact the patient, such as name, date of birth, address, telephone number, and email address; (2) Social Security number, driver’s license number, passport number, and/or tribal ID number; (3) health insurance information, such as name of insurer, plan number, and member number; (4) medical information, such as Medical Record Number, dates of service, provider names, prescription information, treatment, and diagnosis information; and (5) billing and claims information, including financial account information.
You can read the rest of their notification on their web site. Their notice makes no mention of any ransom demand or having paid any ransom. DataBreaches.net emailed RMCHCS today to inquire whether they paid ransom to keep the files off the internet. There has been no reply as yet.
As with the Nicona General Hospital update reported today by this site, RMCHCS learned of the breach in February, sent letters to patients on April 30, and issued notices in May. Does that mean that the gap between an early February breach, April 30 notification, and May public notices is an acceptable timeframe? Not only does it appear to be past the “no later than 60 days from discovery” deadline, but the fact that data were already dumped publicly and the entity knew that in February should have resulted in earlier notification — even an interim notice.
In an FAQ on the incident, RMCHS has a question:
With any such incident, it takes time to gather the relevant information, identify the affected individuals, and arrange the assistance services that are being offered. As soon as RMCHCS discovered the incident, we promptly launched a forensic investigation, contacted law enforcement, and took steps to remediate the incident. It was important that we accurately understood what happened and properly identified individuals who were potentially impacted.
Yes, that is true for individual notification letters. But why not immediately issue a press release that you are aware that there has been an incident and that you are investigating it, but you want everyone to be vigilant and are therefore advising them to….. ? In this case, people were contacted by NBC and so some people knew that their PII or ePHI was already in the wild. But did everyone? Almost certainly not.
RMCHCS is notifying 209,280 individual about this incident.
DataBreaches.net repeats its frequent — and unabashedly strident — call for HHS and OCR to issue some guidance to have entities disclose incidents sooner — even interim notices — when they are aware ePHI has been publicly dumped on the internet — even if the victims pay ransom because criminals pinky swear that they will destroy all the files and never ever share it. Here’s a news flash: criminals lie. Once an entity knows that criminals got their hands on sensitive and personal information that could be misused, they should promptly issue a warning for people to take steps to be alert and to protect themselves.