Note: Marco A. De Felice (aka @amvinfe) has been doing some great investigative blogging on ransomware groups and incidents. If you’re not checking his SuspectFile site regularly, you are missing out on some of his exclusive reporting.
De Felice’s recent coverage of Medusa’s attack on Northeast Ohio Neighborhood Health (NEON) begins:
Another significant data breach looms for United Healthcare (UHC), involving patient documents belonging to its Optum financial assistance program and its subsidiary Change Healthcare.
In recent hours, the ransomware group Medusa has claimed on its website, within Tor networks, the cyberattack on the servers of Northeast Ohio Neighborhood Health (NEON), a company providing healthcare services headquartered in Cleveland, Ohio, and the exfiltration of nearly 51GB of data. Many of these documents refer to PHI and PII of patients associated with health insurance contracts with the United Healthcare Group.
SuspectFile.com has also had the opportunity to review a series of contracts and administrative documents that NEON has entered into with other health insurance companies, providers, organizations providing home care services, childcare agencies, companies developing software for electronic health records, and management systems for the healthcare sector. Among the files exfiltrated by Medusa are financial reports, board reports, and banking documents.
The ransomware cyberattack occurred on April 15th when Medusa gained access to NEON’s computer systems. After exfiltrating 51GB of data from the servers, Medusa proceeded to encrypt the files, and on the blog, the group states the price that NEON will be forced to pay for file deletion, with the ransom amounting to $250,000; the group has set the same price for their sale. NEON has just over 2 days left before their data is sold or made public.
De Felice includes a number of samples of protected health information offered as proof of claims. Read more of his findings and analysis on SuspectFile.
What Next?
Although Medusa threatened to leak or sell all the data on or after April 26, the data have not been leaked as yet and there is no indication that the data have been sold. De Felice tells DataBreaches that Medusa has told them the data will be leaked on the group’s Telegram channel when it is leaked.
A check of NEON’s website does not find any alert or notification about a breach. Given that some sensitive and protected health information has already been leaked, DataBreaches sent a contact form inquiry to NEON today asking whether they are notifying patients of the attack. No reply has been immediately available. Nor is it known whether the encryption has impacted any of their functions or services.
This post may be updated when more information becomes available, although those interested in this particular incident would do well to check SuspectFile for any updates, as they are likely to update faster than this site can.