On July 8, DataBreaches reported that Gateway Rehab in Pennsylvania had apparently become the victim of a ransomware attack by Blackbyte. DataBreaches’s report included redacted screenshots of files sensitive protected health information that had been leaked on the threat actors’ leak site. Gateway had not responded to inquiries from this site nor posted any notice on their own site at the time, and no report from Gateway had shown up on HHS’s public breach tool by then or even since then.
On November 18, Gateway Rehab issued a public notice. Their notice confirmed that they first discovered the incident in June, and by July 8 had confirmed that protected health information was involved. Specifically, the following data types may have been accessed or acquired: name, date of birth, Social Security number, driver’s license or state ID number, financial account and/or payment card number, medical information and health insurance information.
Their notice also includes this statement: “Gateway Rehab has no evidence that any of this information has been misused.”
No evidence that it has been misused? How would it know? Has it been using a consultant firm to run dark web searches and monitoring? What happened to the data that is no longer on Blackbyte’s leak site? Was it sold? Shared with others?
Why didn’t Gateway Rehab tell patients that their data was actually dumped publicly on the dark web? They didn’t even tell them that this was a ransomware incident — they called it a “data security incident.” It was (a data security incident), but the fact that the threat actors were financially motivated and leaking data might factor into someone’s assessment of their risk of harm and whether they need to take steps to protect themselves.
Gateway’s notice did not indicate how many patients had their personal and protected health information caught up in the incident, and so far, there has been no listing of this incident on HHS’s public breach tool from Gateway Rehab. Now that they have issued a public notice, however, the listing may soon appear on HHS’s website.
November 21: Gateway has been added to HHS’s public breach tool as impacting 130,000 patients.