What happens when threat actors leak data on the dark web but the victim entity doesn’t access it in time to figure out what was leaked? That’s what happened to PruittHealth in Georgia last year. How many people are they notifying because they can’t figure out what was accessed, acquired, or leaked?
In November 2023, DataBreaches reported that PruittHealth had been hacked by threat actors calling themselves the NoEscape Gang. The criminals had also deployed a DDoS attack to increase the pressure on them to pay.
NoEscape claimed to have 1.5 TB of files from PruittHealth but as first reported by SuspectFile, the attackers did not provide any samples of protected health information (PHI). Neither the attackers nor PruittHealth responded to inquiries from either SuspectFile or this site. In December, DataBreaches submitted a second inquiry to PruittHealth, again asking for information about the breach. Again, there was no reply.
On May 30, 2024, PruittHealth began mailing notification letters. A copy was submitted to the Vermont Attorney General’s Office and to some other states.
PruittHealth reports that they discovered the cyberattack in November 2023. That is consistent with the threat actors’ claims that they accessed PruittHealth on November 13. By November 18, the threat actors claimed that they had already sent thousands of emails providing information about the data theft, with at least 400 of them sent to corporate email addresses. NoEscape also claimed to have made telephone contact with Randall Loggins, PruittHealth’s Chief Financial Officer.
“The hackers threatened to publish the stolen files on a ‘dark web’ blog site unless PruittHealth paid the hackers money as ransom,” the notification from Richard E. Gardner III, Chief Compliance Officer, states.
On December 7, 2023, the hackers claimed to have published the files that they allegedly copied on their blog site. However, before PruittHealth’s forensic specialists could access the files the hackers claim to have published, the hackers’ blog site was taken down and any files that they claimed to have published were no longer accessible. As a result, PruittHealth is not able to confirm whether your information was exposed.
How quickly did PruittHealth try to access or download the leaked files when they were first leaked? Their letter is silent on that point. It is also silent on the question of whether they ever paid the attackers any ransom. PruittHealth claims:
We have performed extensive reviews of the files that were contained on the server at issue, and there is the possibility that some information related to your individual information, including potentially full or partial name, date of birth, government identification information, demographic information, contact information, home address, financial information including, Social security numbers, bank account number, health insurance information, and health information, may have been affected. While we have no evidence confirming that your information was taken, it is nevertheless possible that an unauthorized third party could have obtained this information. Therefore, we encourage you to review the attachment to this letter for additional information and steps to take with respect to potential identity theft.
Nothing in the notification samples DataBreaches found or on PruittHealth’s website notice offers those affected complimentary credit-monitoring or identity theft restoration services.
How many were affected?
In November of 2023, when DataBreaches first became aware of this incident through its daily dark web searches, we noted this incident in an internal worksheet that tracks U.S. breaches of healthcare data. But there has never been any update to the incident in terms of a report to HHS. A search today could find no notifications online that included any total number for the incident. Massachusetts, however, noted that 26 of its residents were reportedly affected, and Paul Bischoff reports that PruittHealth notified 5,217 South Carolina residents of the breach.
Did PruittHealth submit a notification to HHS but HHS just hasn’t posted it yet, or has PruittHealth not notified HHS yet? How many people, total, were affected by this incident?