DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: Goodman Campbell Brain and Spine ransomware incident affected 362,833 patients and employees

Posted on August 5, 2022 by Dissent

On June 9, DataBreaches reported that Goodman Campbell Brain & Spine in Indiana had apparently become a ransomware victim of Hive threat actors on or about May 20. The threat actors added the medical practice to their dedicated leak site on June 8 and leaked a “proofpack” that contained passwords for accounts as well as personal and financial information on doctors. The leak also included information on named patients with their diagnoses and procedures, with some insurance information. As DataBreaches noted in that report, the medical practice had already disclosed the incident on their own website.

On July 19, Goodman Campbell updated their website notice again and sent out notification letters to individuals. In a submission to the Maine Attorney General’s Office filed by their counsel at Hall, Render, Killian, Heath & Lyman, P.C., Mark Swearingen indicated that a total of 362,833 persons were affected. The submission does not break down how many of those were employees and how many were patients, and the medical group’s report is not yet displayed on HHS’s public tool to give us the number of patients affected.  What we do know from Goodman Campbell’s disclosures are that the data types for any patient might include their name, date of birth, address, telephone number, email addresses, medical record number, patient account number, diagnosis and treatment information, physician name, insurance information, date(s) of service, and Social Security number.

But the July 19th letter to those affected, provided to the state as a copy of what was sent to those affected contains a curious statement:

While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the Dark Web, which is a portion of the internet that cannot be found by search engines and is not viewable in a standard web browser and is commonly used in these types of attacks.

That statement is not mirrored in their July 19th website update. Nor is it accurate.

In a June 17 update on the Goodman Campbell’s site, they wrote:

While our investigation with forensic experts and law enforcement officials is still ongoing, we have determined that a number of files obtained by the cyber criminals during the course of this cyber-attack have been posted on the dark web.

That statement was accurate. So where did Goodman Campbell get the idea that data may only have been exposed for 10 days? As of a check yesterday, the data from the proofpack posted on June 8 are still freely available.

A listing for Goodman Campbell Brain & Spine remains unchanged on Hive’s dark web leak site as of August 5.

DataBreaches emailed Goodman Campbell yesterday to inquire why they claimed data was on the dark web for (only?) 10 days.  No reply was received.

DataBreaches will continue to monitor dark web sites including Hive’s to see if there is a major data leak from this incident at some point. It would not be unusual for Hive to do a full data leak or dump months after an entity refused to pay ransom.

But even if Hive does not dump more data than they have already leaked, patients and employees of Goodman Campbell should understand that their personal and protected health information is still in the hands of criminals who may dump it or misuse it at any moment.  Goodman Campbell appears to be offering those affected one year of complimentary credit report monitoring through TransUnion. That provides the ability to check your credit report to determine if there are any suspicious changes, but it’s not the same as monitoring dark web sites to see if your name or identity information has shown up anywhere.

In this type of situation where patients and employees may not know when the situation changes, it might be prudent to consider putting a security freeze on your credit report so that new accounts requiring the use of a Social Security number cannot be opened if the lender does a credit report check.

Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareOf Note

Post navigation

← UK: Former health adviser found guilty of illegally accessing patient records
Malaysian minister says amendments to PDPA in the works after repeated data breached →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.