DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A hospital’s patient data was stolen in June and they should have known it. Why are they claiming they didn’t know?

Posted on December 30, 2022 by Dissent

Six months after DataBreaches reported that Fitzgibbon Hospital in Missouri had been the victim of a ransomware attack by Daixin Team, the hospital has finally disclosed the incident.

In a notification, the hospital claims that they detected the unauthorized access on June 6. But then they immediately make a demonstrably false statement. They state, “Though the investigation is ongoing,  Fitzgibbon Hospital discovered on December 1, 2022 that some patients’ identifiable and/or protected health information may have been accessed and acquired in connection with this incident, including impacted individuals’ full names, Social Security numbers, driver’s license numbers, financial
account numbers, health insurance information, and/or medical information.”

The problem with that statement is that DataBreaches reported the attack on June 27 and reported some of the data the attackers had acquired. Not only would they have known by June 27 at the latest — and DataBreaches had emailed them several times by then — the bad actors had also informed DataBreaches that on June 9, someone representing the hospital had entered the support chat. They were given a test decryption and shown proof of data exfiltration.

Indeed, at any time in June, Fitzgibbon had plenty of reason to already know that protected health information had been exfiltrated — including data posted to Daixin Team’s leak site. And to make it worse, the data were then also leaked in August on Breached.co.  Is Fitzgibbon trying to claim that the cybersecurity professionals it immediately hired in June never saw the data on the dark web, read the chat transcripts, or saw the leak on Breached.co in August?  Seriously?

The hospital’s claims to have discovered on December 1 that PHI may have been accessed or acquired is the kind of misrepresentation that class action lawyers may love.

Fitzgibbon’s full notice of December 30 can be found linked  on their website. Nowhere does it inform anyone that patient data was leaked on the dark web and made freely available.

Compare Fitzgibbon’s notice to the details provided in DataBreaches’ reporting on June 27.  Is it really credible that they didn’t know PHI was involved until December 1? Once they knew in June that PHI had been accessed, the 60 day clock started running for them. It didn’t start at the conclusion of any investigation, and it’s about time HHS started taking the 60 day deadline seriously.

Fitzgibbon patient data has been publicly available since mid-June of 2022. Patients shouldn’t first be finding out now that their data were exfiltrated, and even now, they are still not being told that their data are on the internet — unless they happen to read DataBreaches.

 

 

Category: Health DataU.S.

Post navigation

← Retreat Behavioral Health addiction treatment centers hit by ransomware earlier this year
Oregon AG Rosenblum Settles with Avalon Healthcare over 2019 Data Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.