DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Christus Health ransomware incident involved theft of sensitive patient and employee data

Posted on May 17, 2022 by Dissent

First, the good news (such as it is): a ransomware attack on Christus Health by Avos Locker has not impacted patient care. Now, the bad news: the threat actors acquired — and have already leaked — a lot of sensitive information on patients and employees.

On May 11, Avos Locker added Christus Health to their dark web leak site. The leak site contains a notice that all data on the leak site are available for sale if the owner does not pay.

In a statement provided to Information Security Media Group, CHRISTUS Health said it recently learned of “unauthorized activity” on its computer network.

“This was quickly identified and blocked by CHRISTUS information security. At this time, it appears that the incident is limited and didn’t impact any of CHRISTUS Health’s patient care or clinical operations. We are working with industry experts to investigate and address the issue. CHRISTUS values and is committed to the privacy and security of all those we are privileged to serve,” the statement says.

But note that an attack not impacting patient care does not mean the attack did not compromise patient or employee information. Inspection of the data leaked by the threat actors indicates that very sensitive information about patients and employees is in the hands of the threat actors.

DataBreaches inspected a sample of files in the leak. Here is a summary of just a few of the files:

  • a spreadsheet with the names of patients who tested positive for COVID-19 between March and June, 2020
  • a focused professional review of an employee included patient information from the case logs: patient name, date of service, diagnosis, and patient account number
  • admission records for a one-week period in 2019 that included patients’ names, date of birth, reason for admission, phone number, provider information, and health insurance information
  • an employee phone roster
  • a suspension letter to a named physician due to delinquent medical records
  • other letters to named physicians of the format:

This letter is to notify you that you have received a fourth (4th) suspension for the same delinquent medical record(s) in three consecutive months (September, October, November and December 2021). A copy of this letter will be placed in your Quality Management file for consideration by the Credentials Committee at the time of reappointment.

  • files with patients’ health insurance information and billings
  • a 17-page Operating Room Schedule dated 05/02/2022 with patient name, date of birth, phone number, medical record number, type of procedure, reason for visit, type of insurance, name of surgeon/anesthesiologist, and type of anesthesia. Each page had multiple patient records on it; and
  • a tumor conference patient list with information on six patients for consideration at a July 2020 case conference. Each patient’s name, date of birth, social security number, and type of tumor issue, was included.

Again, that is just a small sample, but it’s clear that the threat actors acquired files with sensitive medical information on patients and sensitive personnel information. What else they got and how much they got is as yet unknown.

Related posts:

  • CHRISTUS St. John reports patient information breach
  • U.S. medical entities fall prey to Pysa threat actors, but many haven’t disclosed it – at least, not yet.
  • “Without Undue Delay,” Part 2
  • HHS starts to reveal healthcare breaches reported to government
Category: Breach IncidentsHealth DataMalwareU.S.

Post navigation

← Conti claims to have inside information on Costa Rica, escalates threats
Mandiant Quietly Investigating Suspected Russian Intrusions →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.