DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A hospital’s patient data was stolen in June and they should have known it. Why are they claiming they didn’t know?

Posted on December 30, 2022 by Dissent

Six months after DataBreaches reported that Fitzgibbon Hospital in Missouri had been the victim of a ransomware attack by Daixin Team, the hospital has finally disclosed the incident.

In a notification, the hospital claims that they detected the unauthorized access on June 6. But then they immediately make a demonstrably false statement. They state, “Though the investigation is ongoing,  Fitzgibbon Hospital discovered on December 1, 2022 that some patients’ identifiable and/or protected health information may have been accessed and acquired in connection with this incident, including impacted individuals’ full names, Social Security numbers, driver’s license numbers, financial
account numbers, health insurance information, and/or medical information.”

The problem with that statement is that DataBreaches reported the attack on June 27 and reported some of the data the attackers had acquired. Not only would they have known by June 27 at the latest — and DataBreaches had emailed them several times by then — the bad actors had also informed DataBreaches that on June 9, someone representing the hospital had entered the support chat. They were given a test decryption and shown proof of data exfiltration.

Indeed, at any time in June, Fitzgibbon had plenty of reason to already know that protected health information had been exfiltrated — including data posted to Daixin Team’s leak site. And to make it worse, the data were then also leaked in August on Breached.co.  Is Fitzgibbon trying to claim that the cybersecurity professionals it immediately hired in June never saw the data on the dark web, read the chat transcripts, or saw the leak on Breached.co in August?  Seriously?

The hospital’s claims to have discovered on December 1 that PHI may have been accessed or acquired is the kind of misrepresentation that class action lawyers may love.

Fitzgibbon’s full notice of December 30 can be found linked  on their website. Nowhere does it inform anyone that patient data was leaked on the dark web and made freely available.

Compare Fitzgibbon’s notice to the details provided in DataBreaches’ reporting on June 27.  Is it really credible that they didn’t know PHI was involved until December 1? Once they knew in June that PHI had been accessed, the 60 day clock started running for them. It didn’t start at the conclusion of any investigation, and it’s about time HHS started taking the 60 day deadline seriously.

Fitzgibbon patient data has been publicly available since mid-June of 2022. Patients shouldn’t first be finding out now that their data were exfiltrated, and even now, they are still not being told that their data are on the internet — unless they happen to read DataBreaches.

 

 

Related posts:

  • OakBend Medical Center hit by ransomware; Daixin Team claims responsibility
  • Another hospital hit by ransomware: Columbus Regional Healthcare System in North Carolina hit by Daixin
  • Exclusive: Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data
  • Acadian Ambulance hit by ransomware attack; Daixin claims info on 10 million patients stolen
Category: Health DataU.S.

Post navigation

← Retreat Behavioral Health addiction treatment centers hit by ransomware earlier this year
Oregon AG Rosenblum Settles with Avalon Healthcare over 2019 Data Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.