DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Visiting Physician’s Network in Texas silent about ransomware attack and incident response

Posted on September 18, 2023September 12, 2024 by Dissent

One of the newer ransomware groups to open a leak site is “ThreeAM.” Bleeping Computer recently reported that the ThreeAM malware is written in Rust, and on at least one occasion, researchers discovered that when LockBit failed, ThreeAM (aka 3AM) was successfully deployed. Symantec has more details on the malware and the group’s methods.

ThreeAM caught DataBreaches’ eye because one of the victims on their leak site is Visiting Physician’s Network (VPN) in Texas. The medical practice appeared to have been added on or about September 4.

As many other groups also do, ThreeAM simply copies and pastes the description of the victim from the victim’s own website.  Image: DataBreaches.net

In this case, the listing also indicates that the threat actors have leaked 85% of the files they acquired and that 272 people have viewed the listing. The listing also shows that they acquired patient chart scans, divided into three groups of folders by patients’ last name. The listing doesn’t indicate how many people may have downloaded or viewed the scanned files.

When expanded, each of the three parts of the leak contained folders on numerous patients. The first part, for example, has folders for patients whose last names began with A-I. There are almost 1,160 patient folders in that one part, and for every patient, there are multiple files — usually from 2016 or 2017. The following image, redacted by DataBreaches, shows a number of files for one patient. Every filename begins with the patient’s first name and last name — a system used for all their patient records in these directories.

Image: DataBreaches.net

Some patients had many more files than others. Most filenames included not only the patient’s name, but a date, and something describing the nature of the information in the file. For many files, the purpose appeared to be related to prescriptions, lab results, consent, or other issues.  Some files, when examined, were multi-page files with detailed medical histories, demographic information, and social histories as well. All of this is considered protected health information (PHI) under HIPAA.

Filenames showed dates of service and issues or types of service. Image: DataBreaches.net

On September 15, DataBreaches reached out to VPN via their website contact form. No reply was received. A second inquiry was sent today, requesting that they answer some questions via email or telephone. No reply has been received, though.

Based on prior reports about ThreeAM, DataBreaches sent them some inquiries on September 16. They replied today, responding to the first question by saying that they had checked VPN’s security three weeks ago, and had locked it and “unloaded all their data.”

Not responding directly to another question about how much money they were demanding, they replied, “This is sensitive information, but we never ask for more than companies can pay for our services.”

DataBreaches also asks ransomware groups whether their victims have responded at all to any demands. In this case, ThreeAM replied that VPN was “…very negligent with their security and lost data, their customers and employees data. (sic) They have not been in touch.”

ThreeAM declined to offer any other information or comments about the incident, but did state, “We want you to know that we are not extortionists as we are now commonly called on the internet, we are a team providing network security services to companies and we ask for a token amount for our work, after which we explain in detail all their problems and vulnerabilities in the network so that they are never exposed again. All the data of the companies that have cooperated with us will never leak into the network.”

DataBreaches genuinely has no idea whether these ransomware groups harbor any hope that anyone will believe that they are not extortionists when they are holding data or a decryption key hostage.

More importantly, there is no notice on VPN’s website and they have not responded transparently to inquiries. VPN is still within the “no later than 60 days” deadline for notifying HHS and patients as specified by HIPAA. But the fact that they have not posted anything on their site at all to alert patients that not only has their sensitive data been stolen but is already being freely distributed on the dark web is concerning.

Category: Breach IncidentsHealth DataMalware

Post navigation

← More victims of MOVEit breach are revealed: Nuance discloses for covered entities (UPDATE 1)
Law Firm Accused of Waiting More Than a Year to Inform Affected Parties About Data Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.