DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A cyberattack on a U.K. accounting firm wound up leaking U.S. patient data. Now what?

Posted on November 20, 2023 by Dissent

DataBreaches would have passed over a listing on LockBit3.0’s site if Brett Callow hadn’t kindly called our attention to it. The listing by the threat actors was for  HSKS Greenhalgh Chartered Accountants and Business Advisors, and LockBit claimed to have exfiltrated 168 GB of files with:

Employees (NIN numbers, passport scans, ID scans, Employee forms with personal data, residential address, telephone, DOB, tax forms with personal data P60, P45, contracts and much more)
financial documents (balance sheet, budget, tax forms, various financial statements, audits, transactions, etc.)
Client databases, contracts, client working documents (corporate finances, audits, tax forms, employee information, court records, mail correspondence, USA patient database with personal data (Full name, DOB, ssn, address, telephone and other documents)
Various corporate documents marked confidential, audits, Board Minutes, marketing, analytics, various sage databases

“USA patient database” ??

When LockBit subsequently leaked the data, DataBreaches examined several files where the filenames included “patient.”  One of them was a .csv file with with patients’ first and last names, postal addresses with state and zip code, phone number, and SSN. There were no diagnoses or treatment information, just demographic information and SSN.  Other files appeared to involve the same patients. Some also had health insurance information and date of birth. One file had more than 1 million rows, although not necessarily 1 million unique patients.

Almost all of the patient addresses were in Mississippi, but were the data real patient data or test data?

Conducting a google search for some individuals’ names +Mississippi, DataBreaches found listings in WhitePages that matched the names and cities in Mississippi.  Attempting to validate a sample of SSNs in one of the files that did not contain date of birth returned results that they were all valid SSNs, although the state in which the SSNs were issued often did not match the patient being in Mississippi (but of course, people may have moved over their lifespan and many of these patients were elderly).  Based on the sampling results, then, these appeared to be real patients’ data.

But whose data was it originally?  Nothing in the .csv fields or file metadata indicated the data’s U.S. source.

DataBreaches sent an inquiry to HSKSG asking for clarification on how a patient contact database with U.S. patient information wound up on their server. The inquiry asked, in part:

And because it’s somewhat unusual, can you explain to me why there is a large .csv file with patient data on American patients who appear to be mostly from Mississippi? How did a UK business acquire patient data from the U.S.? Did/do you have consent of American patients to transfer their data out of the U.S. to the UK? I appreciate client confidentiality, but what client gave you these data, and are they now notifying the U.S. Department of Health and Human Services of this breach or are you?

There are obviously so many questions raised by this situation apart from what DataBreaches posed to HSKSG, but we started with those.

DataBreaches received no reply from HSKSG after three days, but with some additional digging, DataBreaches identified a possible source of the data.  DataBreaches is not naming the entity at this time in case we have erred, but DataBreaches sent an email to the U.S. entity explaining the situation (but not naming the U.K. firm) and providing the U.S. entity with a small sample of patient names. DataBreaches asked them to check their current and past records to see if those names were the names of past or current patients and to respond within 48 hours.

They did not reply.

DataBreaches has sent a second inquiry to HSKSG. If there is still no reply from HSKSG or the entity in the U.S., DataBreaches will contact the FBI and suggest they get answers so that someone takes responsibility for notifying these patients of the need to protect themselves and will also contact the Information Commissioner’s Office to ask them some questions.

 

 

 

Category: Breach IncidentsBusiness SectorExposureHackHealth Data

Post navigation

← Logs missing in 42% cyberattacks; small business most vulnerable: Report
Illuminate Education Defeats Data Breach Lawsuit for Second Time →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.