First Choice Community Healthcare (FCCH) is a non-profit healthcare system in New Mexico providing a range of services to the community. In a press release issued today, they describe a security incident that they discovered on March 27, 2022. The notice is also posted on their website.
Their notice talks about how the incident “may have involved” personal and protected health information and that information “may have been accessed or acquired without authorization.” The type of information involved included:
Provider names, Social Security numbers, First Choice patient ID number, diagnosis and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information.
Nowhere in their notice do they forthrightly tell people that this was a ransomware attack, that some data was leaked by the ransomware team, and that they paid ransom.
On April 7, DataBreaches reported the addition of FCCH to Hive’s dedicated leak site. DataBreaches inspected the internal documents and patient files that Hive disclosed as proof and then reached out to FCCH to ask them about the incident, noting that how shortly after the listing first appeared, it disappeared.
FCCH never replied to the inquiries.
FCCH was listed as a target on Hive’s dedicate leak site on April 7, 2022. Hive claimed to have acquired HR, financial, and patient records and claimed that they had four database tables with a total of approximately 550,000 records. The listing, which included samples of the data, was removed shortly thereafter.
Weeks later, HHS issued an analyst’s report on Hive ransomware.
Today, DataBreaches sent another email to FCCH asking them about whether they had been able to decrypt any encrypted files and whether they had paid ransom to Hive. No reply has been received as of the time of this publication.
FCCH’s notification seems to be one more example of an unwelcome trend towards less transparency rather than more transparency.
Why is the transparency important as long as people get notified, you ask? Well, for one thing, the ransomware team had information in their hands that may have included credentials that can be used to attack other victims. As Steffen Zimmermann recently told DataBreaches when discussing ransomware attacks and how ransomware teams find other victims to explore:
in industry cases I have seen so far, spear phishing was the main entrance — spear phishing by reusing stolen data from other ransomware victims.
More or less walking through the supply chain.
In general:
— Attempts to protect the entity from disclosing anything that could be used against them in possible litigation may leave patients without information that might help them assess their risk and what steps they may need to take to protect themselves, and
— Attempts to protect the entity from disclosing anything that could be used against them in possible litigation may leave other entities at risk because they are not learning that their credentials may have fallen into the hands of a ransomware team who will then start using the information to compromise them.
Attempts to protect the entity are selfish endeavors that fly in the face of regulations intended to notify those at risk from a breach. What they are doing may be legal, but it is a self-serving cover-up that basically says “Screw the patients and the people whose information we failed to protect. Now we are just looking out for ourselves.”
DataBreaches will continue to call out entities who fail to disclose ransomware attacks or to be more forthcoming about incidents, and hopes that others will also call them out. Maybe we need a #StopTheCoverUp hashtag on Twitter?
Update: Post-publication, DataBreaches received a reply email from FCCH that said, in its entirety:
Patient care was not impacted. Beyond that, what we have on our site is all we are going to say at this time. Thank you.
So even when asked directly, they did not admit that this was a ransomware incident and that ransom was paid.
Update2: The incident has just appeared on HHS’s public breach tool as affecting 101,541 patients. It was reported to HHS on August 1, more than four months after they discovered the attack and almost four months since DataBreaches first reported the breach publicly.