Approximately 43,000 patients of an immediate care facility and its associated primary care practice in Chicago may or may not know it yet, but threat actors gained access to protected health information in December and proceeded to remove more than 500 GB of files between December and May 10. Or so the threat actors claim.
On Monday, DataBreaches.net was contacted by an individual who claimed that Michigan Avenue Immediate Care had been hacked.
“Stealed more that 580 GB personal information about ~43.000 patients including SSN , Proof ID and lab analyses , TEMPUS Covid information and more info,” the person wrote, using a protonmail account.
A single 13-page file with a named patient’s registration form for Michigan Avenue Immediate Care (MAIC) was attached. The form contained demographic information about the patient with their name, date of birth, address, telephone number, Social Security number, health insurance information, and medical history including lifestyle factors was provided. That file also included a photocopy of the patient’s driver’s license and an April, 2022 date for follow up at Michigan Avenue Primary Care.
Finding no media coverage of any breach, no report to HHS, and nothing on MAIC’s website, DataBreaches reached out to MAIC via email with questions about the claimed attack. Receiving no reply, DataBreaches sent a second inquiry earlier today, only to have it bounce back with a 550:blocked message. DataBreaches then sent a second email from this site’s domain email account. Although that email did not bounce back, no reply has been received.
With no information on MAIC’s or MAPC’s websites about any incident and no reply to emails, DataBreaches asked the threat actors if they would provide additional proof or details. They provided a 2.2 GB archive with protected health information (PHI) of patients. In addition to individual files with PHI, approximately 30 files in the sample were batched insurance claims with each page containing information on more than one patient. Batched claims included patient name, account number, date of service, provider name, health insurance plan, health insurance policy number, charges, and balance.
When asked for information about when the attack occurred, the threat actors replied (as in the original):
We has break his servers on december 2021 . We continued uploading his data until to 10 May . We collected data from Yosi System, Docman , Tempus Covid results and more another info . We demanded not big price for confidential about this breach, but he only delay time, not paying .
Of note, they also informed DataBreaches that they had not encrypted any files.
Although the correspondent wrote to DataBreaches in English, default auto-text in emails such the “original message” divider appeared in Russian.
Somewhat surprisingly, they hesitated when DataBreaches asked how this site should refer to them, but when asked if DataBreaches might know them from any other hack or incident, they promptly replied, “Last our hack is Wycokck Country UG,” referring to the Unified Government of Wyandotte County and Kansas City incident, reported last month. That attack, which was discovered on April 16, was still impacting some government services by April 29.
Eventually, DataBreaches was told that they could be called “Targetware Team,” but Databreaches is not confident that they used that name with WyCoKC or MAIC.
This post will be updated if MAIC responds to this site’s inquiries or if more information becomes available. As of the time of this publication, it is important to reiterate that they have not confirmed any breach to DataBreaches and if they did have a breach, it is not yet known to DataBreaches whether it was their breach or a third-party vendor’s breach.
Update 1 (May 19): No response has been received from MAIC yet, but the TAs continue to provide this site with more details and data including more than 5 GB of data from TEMPUS that included COVID-19 test results on patients as well as re-registration forms for patients to be seen at MAPE, and appointment details for patients to be seen at MAPE.
Of note, they informed DataBreaches today that they did not reach out to MAIC until May 1 with their demands. That does not explain, of course, how MAIC did not detect any intrusion or exfiltration going back to December.
In response to DataBreaches’ question as to whether both MAIC and MAPE were attacked (because the TEMPUS system files showed registration files and appointments for MAPE), the spokesperson responded that it was only MAIC that got hit. “They have very weak computer security. Hacking their systems took only 1.5 hours,” the spokesperson added.
As a further update, the TAs claim that they have started selling data. “We already sell all information for now,” they wrote. But when DataBreaches asked if that meant all 580 GB of files that they claimed to have or just the data that they already shared with DataBreaches, the spokesperson responded, “No , we only start selling it yesterday.”
DataBreaches will continue to follow and update this report.