Add NCG Medical to business associates who a ransomware attack has compromised. The medical billing service in Florida was added to the Hive ransomware group’s leak site on August 31, with Hive claiming that they encrypted NCG’s files on August 19.
The 12-day gap between encryption and publicly revealing the attack is a relatively short time frame. Many ransomware groups, including Hive, often give victims longer to respond to them or try to negotiate with them before going public. In response to an inquiry from DataBreaches, a Hive spokesperson indicated that NCG never responded to them at all, which may help explain why the attack has been disclosed so quickly.
Unlike some ransomware groups that offer “proof packs” or a handful of files as proof that they had access to their target’s server, Hive tends to dump a lot of data. The NCG incident is no exception. DataBreaches is still investigating the data that have been dumped so far but can see that it includes information on NCG’s clients who are covered entities under HIPAA. The files also include records of insurance-coded submissions for named patients with information on their diagnoses. One small archive alone had almost 10,000 coded records on named patients. DataBreaches is not even providing redacted screencaps at this point lest sensitive information accidentally be left unredacted.
To put it gently, NCG appears to have a lot to do to figure out who needs to be notified, how to notify them (addresses), and what data types were involved. Whether they will be notifying patients or the covered entities (their clients) will be a function of their business associate agreement with each client.
Although DataBreaches reached out to NCG, no reply was received, which is not surprising given it has been less than two weeks since they likely became aware of the attack and they have a lot to assess and respond to. DataBreaches does not know if they have backups or if the encryption of their files has impacted their functioning.
In addition to what the revealed on their leak site, Hive provided DataBreaches with some additional information, including what they wrote to NCG. In part, their message read,:
! ! ! DO NOT TRY TO DECRYPT OR CHANGE ENCRYPTED FILES ON YOUR COMPUTERS, IT WILL COMPLETELY DESTROY THEM ! ! !
Ladies and gentlemen! Attention, please!
We infiltrated your network and stayed there for 12 days (it was enough to
study all your documentation and gain access to your files and services),
encrypted your servers.Downloaded most important information with a total size over 270 GB
Few details about information we have downloaded:
– medical records from your clients clinics and practicies (patient name,
address, gender, SSN, diagnosis included)
– company private info (budgets, plans, taxes, etc.)
– clients company info (contracts, payrolls, slips, deposits, etc.)
– software source codes (PerfectCareEHR, billing services)
– SQL databases backups with reports, business data, customers data, etc.
– approximate number of personal records stolen including addresses and
ssn’s data is above 50000 units
From Hive’s claims, it sounds like they got 270 GB of data, much of which is protected health information.
DataBreaches will continue to monitor reports on this incident and will update as appropriate.