Kendal Enz reports:
Sea Mar Community Health Centers is facing numerous class action complaints for alleged inadequate cyber security procedures that resulted in a data breach of more than 650,000 class members’ sensitive information. The complaints, which were filed in November 2021 in King County Superior Court, were removed to Washington’s Western District Court this week.
The Washington healthcare provider was hacked by the infamous Marketo gang sometime between December 2020 and March 2021, and had 3 terabytes of patient’s sensitive information stolen, including names, addresses, birth dates, Social Security numbers and protected health information, according to one complaint.
Read more at Law Street.
DataBreaches.net first reached out to Sea Mar in June 2021, after seeing data posted on the Marketo leak site with a claim that they had 3 TB of data from Sea Mar. This site first reported on this breach in October 2021 having waited until Sea Mar first publicly acknowledged the breach. As made clear in that reporting, Sea Mar was contacted about the breach numerous times by this site in June and July of 2021 and Sea Mar even acknowledged in October that they had been contacted on the exact date in June that this site had first emailed them.
This site does not know when or how many times Marketo may have attempted to contact them — or whether any bad actors prior to Marketo had contacted them to attempt to extort them. If the data was exfiltrated between December of 2020 and March of 2021, it is hard to believe that no threat actor contacted them prior to June 2021 when the data showed up on Marketo. To the contrary, data generally does not show up on any leak site until after threat actors have tried and failed to extort a victim.
In January 2022, things appeared to get even worse for patients of Sea Mar when another group of threat actors called “Snatch Team” posted a listing from an unnamed “private company.” That listing made 22 TB of data publicly and freely available. Inspection of the data suggested that it was from Sea Mar, as Sea Mar’s name appeared frequently throughout the records.
Once again, DataBreaches.net reached out to Sea Mar to seek confirmation or denial. Once again, Sea Mar did not reply.
Getting no answer from Sea Mar, DataBreaches.net reached out to “Snatch Team” to ask them if the data were from Sea Mar. A spokesperson responded, “There is no Sea Mar company among our clients. All of this is private information and we cannot assert it belongs to this company.” It is not clear what that really means, though, as it might simply mean that some other threat actors gave them the data on consignment to try to sell and Snatch had no dealings with the original source.
Unlike the summer of 2021 when DataBreaches.net delayed publication to await confirmation from Sea Mar, DataBreaches.net did not delay publication this time, believing that if the data were/are from Sea Mar, then patients should be alerted to their now increased risk. DataBreaches.net’s attempts to validate the data and source are described in more detail in the January post.
DataBreaches.net is not the only entity that inspected the leaked data and believed it to be linked to Sea Mar. A senior intel analyst for a health insurance plan whose members’ data appeared in the leaked data contacted Sea Mar to ask them if the data were Sea Mar’s and if other Sea Mar patients who were insured by them now needed to be notified. After being told Sea Mar would call them back on that, they never got a callback.
To this site’s knowledge, Sea Mar has not sent out any updated notifications or press releases to alert patients that a lot of protected health information is now freely available on the internet. Visitors to their website will not find any mention of any data breach or any data breach update linked from their home page. Sea Mar’s original notification statement is still available on their website if you know where to look (https://www.seamar.org/seamar-downloads/2021-10-28-Breach_Notice.pdf)
As to the complaint and lawsuits: although the complaint talks about data showing up on “the dark web,” data have already shown up on two clear net sites — the clear net versions of Marketo and Snatch Team (assuming, for now, that the data on Snatch Team *are* from Sea Mar). So even more people can freely help themselves to patient data. Lawsuits reference “the dark web” as if somehow that makes things worse. When data are freely shared on clear net sites, even more people can discover the data and download it for potential misuse.
The case described in the Law Street article is Hall v. Sea Mar Community Health Centers, 2:22-cv-00184