LCMH never responded to DataBreaches’ emailed inquiries to them about a significant data security breach claimed by Hive, but after Hive started leaking their data and DataBreaches published a post about the attack and data leak, LCMH gave news outlet KPLC a statement. Their brief statement can be found in its entirety on KPLC.
Of note, they claim that LCMH’s cybersecurity team “quickly identified and blocked the [unauthorized] activity.”
Their claim did not appear consistent with Hive’s claims about being in their network for 12 days and exfiltrating 270 GB before contacting LCMH, and DataBreaches sought an explanation from Hive for the seemingly conflicting claims. Hive’s administrator responded:
This “conflict” is quite simple to explain. By the time LCMH discovered our presence in their network, all necessary data was downloaded already and we have been deciding what to do next with LCMH company. Our decision was not to encrypt their network, because those actions might be critical for some of their patients. We knew that they found our presence in their network, but we still had an option to return to their network and stay there for as long as was needed, without being detected.
Of course LCMH management will refuse anything we say now, that is obvious, simply compare the date of our first message to them and the date of LCMH public announce about breach, it took 2 weeks.
Since our organisation is not pioneers and we have a lot of experience in this business, we absolutely sure that they did this announce after we told them that we will send message to government and regulators with full information about breach – you can check this through correspondance chat between Hive and LCMH.
We did everything we can to not to harm LCMH patients and employees. LCMH management just wasted 3 weeks, refused to protect their patients and stopped answering to us. This is what happened.
Comment: DataBreaches is aware that there are folks in the infosec and cybersecurity communities who feel that journalists should not be giving ransomware operators or gangs publicity or free coverage that might encourage their crimes. For the benefit of those who may be new readers of this blog, DataBreaches will simply reiterate that this site has made the decision that yes, it will report on ransomware attacks and claims. This site does not link to stolen data, nor does it publish unredacted personal or protected health information, but it does provide summaries and occasionally redacted screenshots. This site also does quote threat actors’ statements at times. Why? Because DataBreaches wants the public to be informed in a timely fashion and victims all too often fail to disclose immediately or tend to minimize the severity of an incident, the risk to patients, or their own mistakes or failures to adequately secure data. Could the threat actors be lying? Sure, but could victims ever be lying? Sure.
As always, DataBreaches encourages its readers to make up their own minds, or better yet, wait for forensic reports if they are ever made public.