DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Employee and patient files from Montgomery General Hospital leaked by ransomware group

Posted on April 2, 2023 by Dissent

An email DataBreaches received yesterday from an unrecognized account contained just one line – a link to a new listing on the D#nut Leaks ransomware group’s leak site about Montgomery General Hospital (MGH) in West Virginia. MGH is part of the Montgomery General Health Care System, Inc., which includes the hospital, Montgomery General Elderly Care, Montgomery General Extended Care, and Montgomery MedCorp, Inc.

But D#nut Leaks had done more than add MGH’s name to their leak site. They had also dumped files from the hospital.

DataBreaches replied to the person who had emailed the link. Unsurprisingly, they were a  D#nut Leaks member, and they confirmed that their group had locked some of MGH’s files in an attack early in March. When DataBreaches asked how they gained access to MGH, the spokesperson answered, “via Microsoft Exchange exploit.”

Victims often do not respond to ransom demands or contacts from their attackers. In this case, MGH reportedly responded, and D#nut Leaks shared some chat logs with DataBreaches.

The chat began on March 5 when someone showed up claiming to be a member of MGH’s executive team. D#nut’s negotiator (“d0nut”) told MGH:

We are here to inform you that we have infiltrated your network and stayed there for 3 days (it was enough to study your documentation and gain access to your files and services). Also we have downloaded personal data related to your patients, employees and management. Since your business provides critical services and its infrastructure necessary for ordinary people health, we decided not to crypt or damage your network. But we still have downloaded sensitive data from there, so we could make a deal. We know that your IT team found us in your network, also we know that they installed Sentinel Antivirus to resist us. After few hours we removed this AV. At this point we made a decision not to damage your network, but to discuss this situation with your administration and negotiate about sensitive data we own from your network

d0nut also told the MGH negotiator that they wanted $750,000 for a decryptor and deletion of exfiltrated files. MGH was provided a partial file tree and the ability to decrypt a few files for free as proof.


From the hospital’s site: “Montgomery General Hospital is a 25 bed critical access facility that provides care to over 1,000 inpatients, 40,000 outpatients, and care for over 10,000 emergencies on an annual basis. Montgomery General Hospital serves as a general acute care hospital to Fayette and surrounding counties in the state of West Virginia.”

MGH did not make any counteroffer but asked for more information (an entire file tree and not just a partial one), a lower price, and more time. As we have seen in other cases, the hospital stated that as a non-profit, they could not afford what was demanded. The negotiator said they also had to go through specific processes to get board approval for expenses above a certain amount. There was no mention of any cyberinsurance.

After some back and forth over time, D#nut Leaks’ negotiator appeared to lose patience after MGH reported the results of one board meeting but stated there would be another board meeting the following week:

The board meeting went well last night, they had a few questions about the data that was taken and we have sent that to the board for their review. We will follow up next week once we have approval from them to make an offer.

“Please give us your offer on Monday. We couldn’t wait for you forever,” D#nut’s negotiator responded.

Although MGH’s negotiator insisted they were trying their best, they did not make any counteroffer, and on March 31, 26 days after negotiations started, D#nut Leaks dumped the data.

DataBreaches contacted MGH via its website contact form yesterday and emailed Denzil Blevins, their CIO. No replies were received.

The data leak

DataBreaches has not reviewed the entire leak but has seen employee-related files with personnel and payroll information for former and current employees, such as Social Security numbers, pay rate, etc., patient files with medical histories, diagnoses, treatment plans, test results, and health insurance billing records with policy information, dates of services, CPT codes, and amounts charged. No large employee-related or EMR databases were seen in the cursory review of files.

DataBreaches will continue to monitor the situation, but it is already clear that MGH will have some notifications to make to employees, patients, and regulators.

Update: Marianne Kolbasuk McGee has a good update with the hospital’s response and notification plans. Read more at BankInfoSecurity.

 


Related:

  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
Category: Breach IncidentsCommentaries and AnalysesHealth DataMalware

Post navigation

← Alabama’s Jefferson County School System victim of ransomware attack during Spring Break
Service NSW breach exposes personal data affecting thousands of customers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Bitcoin holds steady as hackers drain over $40 million from CoinCDX, India’s top exchange
  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.