DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A hospital’s patient data was stolen in June and they should have known it. Why are they claiming they didn’t know?

Posted on December 30, 2022 by Dissent

Six months after DataBreaches reported that Fitzgibbon Hospital in Missouri had been the victim of a ransomware attack by Daixin Team, the hospital has finally disclosed the incident.

In a notification, the hospital claims that they detected the unauthorized access on June 6. But then they immediately make a demonstrably false statement. They state, “Though the investigation is ongoing,  Fitzgibbon Hospital discovered on December 1, 2022 that some patients’ identifiable and/or protected health information may have been accessed and acquired in connection with this incident, including impacted individuals’ full names, Social Security numbers, driver’s license numbers, financial
account numbers, health insurance information, and/or medical information.”

The problem with that statement is that DataBreaches reported the attack on June 27 and reported some of the data the attackers had acquired. Not only would they have known by June 27 at the latest — and DataBreaches had emailed them several times by then — the bad actors had also informed DataBreaches that on June 9, someone representing the hospital had entered the support chat. They were given a test decryption and shown proof of data exfiltration.

Indeed, at any time in June, Fitzgibbon had plenty of reason to already know that protected health information had been exfiltrated — including data posted to Daixin Team’s leak site. And to make it worse, the data were then also leaked in August on Breached.co.  Is Fitzgibbon trying to claim that the cybersecurity professionals it immediately hired in June never saw the data on the dark web, read the chat transcripts, or saw the leak on Breached.co in August?  Seriously?

The hospital’s claims to have discovered on December 1 that PHI may have been accessed or acquired is the kind of misrepresentation that class action lawyers may love.

Fitzgibbon’s full notice of December 30 can be found linked  on their website. Nowhere does it inform anyone that patient data was leaked on the dark web and made freely available.

Compare Fitzgibbon’s notice to the details provided in DataBreaches’ reporting on June 27.  Is it really credible that they didn’t know PHI was involved until December 1? Once they knew in June that PHI had been accessed, the 60 day clock started running for them. It didn’t start at the conclusion of any investigation, and it’s about time HHS started taking the 60 day deadline seriously.

Fitzgibbon patient data has been publicly available since mid-June of 2022. Patients shouldn’t first be finding out now that their data were exfiltrated, and even now, they are still not being told that their data are on the internet — unless they happen to read DataBreaches.

 

 

Category: Health DataU.S.

Post navigation

← Retreat Behavioral Health addiction treatment centers hit by ransomware earlier this year
Oregon AG Rosenblum Settles with Avalon Healthcare over 2019 Data Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.