DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update:  Rehoboth Mckinley Christian Health Care Services notified 209,000 patients of February ransomware incident

Posted on May 20, 2021 by Dissent

On February 16, DataBreaches.net reported that Conti threat acctors had apparently attacked Rehoboth Mckinley Christian Health Care Services, Inc  (RMCHCS) in New Mexico.

As it has done in similar attacks, the threat actors dumped a small sample of files as proof. The files include copies of handwritten injury reports and other reports related to named individuals’ care. The reports include demographic and protected health information. The sample also contains images of driver’s licenses and a Social Security card, a prescription, and a passport.

RMCHCS did not respond to an inquiry from DataBreaches.net about the claimed attack.

On March 3, Kevin Collier of NBC reported that no one had as yet been notified, despite the fact that sensitive files had been dumped with everything from job applications and background checks to staff injury reports.

Collier also noted what DataBreaches.net had observed — the listing for RMCHCS on Conti’s site appeared to have disappeared. Sometimes, listings disappear while the threat actors are updating them. Sometimes, listings disappear if the victim suddenly begins negotiations with the threat actors. Sometimes, listings disappear because the victim has paid the ransom demand.

 

On May 19, RMCHCS notified individuals of the breach and posted a notice on their web site.  Their notice begins:

Rehoboth McKinley Christian Health Care Services (“RMCHCS”) learned on February 16, 2021 that certain patient information may have been removed from its computer network as a result of potential unauthorized activity that it had been investigating.  RMCHCS promptly engaged a third-party forensic firm to further investigate the incident and assist with remediation efforts.  RMCHCS’ investigation has found that an unauthorized party was able to access certain systems that contained patient information and remove some data between January 21 and February 5, 2021.  As a result of its review, on April 30, 2021, RMCHCS was able to identify the individuals whose information may have been involved and is notifying them of the incident and providing them with information about steps they can take to protect themselves.

The patient information may have included: (1) information to identify and contact the patient, such as name, date of birth, address, telephone number, and email address; (2) Social Security number, driver’s license number, passport number, and/or tribal ID number; (3) health insurance information, such as name of insurer, plan number, and member number; (4) medical information, such as Medical Record Number, dates of service, provider names, prescription information, treatment, and diagnosis information; and (5) billing and claims information, including financial account information.

You can read the rest of their notification on their web site. Their notice makes no mention of any ransom demand or having paid any ransom. DataBreaches.net emailed RMCHCS today to inquire whether they paid ransom to keep the files off the internet. There has been no reply as yet.

As with the Nicona General Hospital update reported today by this site, RMCHCS learned of the breach in February, sent letters to patients on April 30, and issued notices in May. Does that mean that the gap between an early February breach, April 30 notification, and May public notices is an acceptable timeframe? Not only does it appear to be past the “no later than 60 days from discovery” deadline, but the fact that data were already dumped publicly and the entity knew that in February should have resulted in earlier notification — even an interim notice.

In an FAQ on the incident, RMCHS has a question:

  • Why am I only now being contacted?

With any such incident, it takes time to gather the relevant information, identify the affected individuals, and arrange the assistance services that are being offered. As soon as RMCHCS discovered the incident, we promptly launched a forensic investigation, contacted law enforcement, and took steps to remediate the incident. It was important that we accurately understood what happened and properly identified individuals who were potentially impacted.

Yes, that is true for individual notification letters. But why not immediately issue a press release that you are aware that there has been an incident and that you are investigating it, but you want everyone to be vigilant and are therefore advising them to….. ?  In this case, people were contacted by NBC and so some people knew that their PII or ePHI was already in the wild. But did everyone? Almost certainly not.


 RMCHCS is notifying 209,280 individual about this incident.


DataBreaches.net repeats its frequent — and unabashedly strident — call for HHS and OCR to issue some guidance to have entities disclose incidents sooner — even interim notices — when they are aware ePHI has been publicly dumped on the internet — even if the victims pay ransom because criminals pinky swear that they will destroy all the files and never ever share it.  Here’s a news flash:  criminals lie.  Once an entity knows that criminals got their hands on sensitive and personal information that could be misused, they should promptly issue a warning for people to take steps to be alert and to protect themselves.

 

Category: Breach IncidentsCommentaries and AnalysesMalwareU.S.

Post navigation

← Update: Nocona General Hospital “recently” learned of a breach we reported in early February
Hackers Offer Decrypt Key to Irish Health Service With a Catch →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.