In May, DataBreaches dutifully noted The Chattanooga Heart Institute (CHI) on our non-public worksheets. At the time, all we knew was that Karakurt threat actors had claimed to have attacked them and to have exfiltrated 158 GB of data. There was no proof of claim offered, but Karakurt wrote:
Employees and patients’ private data will soon be here available for everyone. Medical records, tests results, diagnoses, social security numbers, passports, addresses, phone numbers, financial data and other documents are going to be uploaded.
CHI never replied to the inquiry DataBreaches sent them on May 23, but on July 28, they notified the Maine Attorney General’s Office that 170,450 people were affected by an incident that they describe on its website as a “data security incident” or “cyberattack.”
The notice explains that on April 17, they detected indicators of a cyberattack and initiated their response plan. An investigation, conducted with the assistance of an external forensics firm, found that the network had been accessed between March 8 and March 16, but it wasn’t until May 31 that they learned that patients’ protected health information and guarantors’ information had been acquired. There was no evidence that the data had been retrieved from the EMR system.
The information that could have been subject to unauthorized access reportedly includes patient or guarantor name, mailing address, email address, phone number, date of birth, driver’s license number, Social Security number, account information, health insurance information, diagnosis/condition information, lab results, medications and other clinical, demographic or financial information.
Notifications have yet to be sent out to all those affected; CHI indicates letters will be sent out “over the coming weeks” as detailed reviews of files are completed. Those notified will be offered credit monitoring and identity theft restoration services.
But nowhere in CHI’s notification does it ever reveal that there was a ransom demand from a known criminal group. Nor is there any mention that patient data might show up on the dark web.
As of publication, Karakurt has not leaked any of the data. DataBreaches will continue to monitor the leak site to see if patient data, guarantor data, or employee information is ever leaked there.