DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

It took an HHS complaint, but three years later, some Ventura Orthopedic patients are finally being notified of a ransomware attack

Posted on November 2, 2023 by Dissent
red key on a keyboard shows an unlocked lock and says "Medical Data Breach"
Image: JosephAlber13 | Dreamstime

In August 2020, DataBreaches reported that the Maze ransomware gang had added Ventura Orthopedics to their name-and-shame leak site. At the time, Ventura did not respond to inquiries about whether they would confirm or deny the claims. And they did not respond to other inquiries from DataBreaches when the Conti ransomware gang subsequently listed 1,850 Ventura Orthopedics on its leak site.

On August 28, 2020, DataBreaches updated its post to report that this site was contacted by Chris Roberts, who was with HillBilly Hit Squad at the time. Roberts said he was contacting DataBreaches on behalf of Ventura Orthopedics who had asked him to help explain the incident and their then-current status. Roberts stated that he was still conducting forensics and asked if he could get back to DataBreaches shortly.  DataBreaches agreed.

Roberts never followed through with DataBreaches and after a few polite attempts on this site’s part, he did not respond at all.

In January 2021, DataBreaches wrote a report to follow up on some breaches that had not been publicly disclosed. It included Ventura Orthopedics. DataBreaches also filed a watchdog complaint with HHS OCR about Ventura.

Over the next few years, there was no real progress or resolution that DataBreaches could detect. DataBreaches would occasionally get an inquiry from HHS asking if there were any updates and if we still had all the data we had offered to HHS when we filed the complaint. Things started to move, however slowly, in an April 2023 conference call with HHS, during which their investigator asked DataBreaches if we would be willing to reach out to Ventura to offer them a copy of the data. DataBreaches firmly (and somewhat impolitely) declined, stating that DataBreaches had reached out multiple times to Ventura to no avail and their consultant had ghosted DataBreaches.  If Ventura wanted help from DataBreaches, they would have to pick up the phone and ask for it.

Several months later, they did. In September 2023, DataBreaches met with their CFO and IT Director in a video conference call. Neither of the employees had been employed by Ventura at the time of the breach and were first trying to understand exactly what had happened and what Ventura had done in response.  DataBreaches gave them a recap of the incident and its chronology, and arranged to securely transmit all the data from the leaks.

Today, Ventura contacted DataBreaches with a copy of the notification letter they are now mailing out to those affected.  The letter explains, in relevant part:

We are sending you this letter as part of our continuing commitment to your privacy. Recently, we became aware that a health information security breach that occurred on July 28, 2020 was more extensive than we believed at the time. The breach involved a ransomware attack on our server resulting in the exposure of a number of documents. Our initial investigation indicated that the health information of only one patient had been compromised. However, on September 13, 2023, we learned that breach involved information about a larger group of patients. The information came from the server files of a single physician and his physician assistant and was limited to the patient’s name, date of birth, and drug and laboratory testing results from 2016, 2017, and 2018. We have reason to believe that your information was among those files.

In August 2020, we took steps to investigate the incident, to notify the patient of the breach, and to prevent any such breach from recurring. This included a full internal lockdown as well as an outside security audit to ensure our electronic medical record system had not been infiltrated. We recently conducted a formal security risk assessment across all our data center facilities. We have received no evidence to suggest that any further patient information has been disclosed or breached since that time.

No social security numbers, financial account or payment card inf01mation was exposed as a result of the July 28, 2020 breach.

Ventura has also posted a notice on its website.

What a shame that HHS didn’t handle this faster, although the pandemic may have slowed things down somewhat.  For three years, patients may have had no idea their protected health information was stolen and leaked.

DataBreaches does not yet know how many patients Ventura has now notified.  Nor does DataBreaches yet know what, if anything, HHS OCR will do at this point.  Will it just close the investigation and send DataBreaches a closing letter?  Will it impose conditions on Ventura? Will there be any monetary penalty?  DataBreaches hopes it won’t take another three years to find out, but is pleased that now patients are being informed of what they should have been told three years ago.

 

 

 

 

Category: Commentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Jeffco Public Schools hit by the same threat actors that hit Clark County School District — and via the same way
Australian Clinical Labs to face court over 2022 data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.