On September 9, Empress EMS in New York contacted HHS to report an incident that affected 318,558 patients. According to a notice on their website, an unauthorized individual gained access to their system on May 26 and copied what they describe as a “small subset of files” on July 13. On July 14, Empress discovered the breach when their files were encrypted.
What their disclosure does not reveal is that the ransomware group was Hive.
Correspondence from Hive to Empress shared exclusively with DataBreaches showed that Hive contacted Empress on July 14 and 15 by email. In their first email, they wrote, in part:
! ! ! DO NOT TRY TO DECRYPT OR CHANGE ENCRYPTED FILES ON YOUR COMPUTERS, IT WILL COMPLETELY DESTROY THEM ! ! !
Ladies and gentlemen! Attention, please!
This is HIVE ransomware team.We infiltrated your network and stayed there for 12 days (it was enough to study all your documentation and gain access to your files and services),
encrypted your servers.
Downloaded most important information with a total size over 280 GB
Few details about information we have downloaded:
– contracts, nda and other agreements documents
– company private info (budgets, plans, investments, company bank statements, etc.)
– employees info (SSN numbers, emails, addresses, passports, phone numbers, payments, working hours, etc.)
– customers info (SSN numbers, emails, addresses, passports, phone numbers, payments, working hours, etc.)
– SQL databases with reports, business data, customers data, etc.
– approximate number of personal records including addresses and ssn’s data is above 10000 units
A sample of files provided to Empress with Hive’s July 15 email, also provided to DataBreaches, included protected health information of some of Empress EMS’s patients. Hive claimed to have more than 100,000 Social Security numbers as part of the data they exfiltrated.
Empress EMS does not currently appear on Hive’s leak site, although it briefly appeared in July long enough to be detected by RedPacket Security and tweeted. As of the time of this publication, Empress is not listed on Hive’s leak site, and DataBreaches does not believe that Hive has dumped or leaked any sensitive information (or, at least, not yet).
DataBreaches had reached out to Empress in July to ask them about the incident and about whether the encryption was impairing their ability to provide emergency medical care. They never replied, but DataBreaches never saw any alerts on their website about any interruptions or delays in service.