There has been a proliferation of new ransomware or hacking groups in the past six months, and some of them are still flying under the media radar. One of those groups is the dAn0n Hacker Group.
On March 26, dAn0n added Pediatric Urology Associates (“PUA”) to their leak site. On April 25, an updated listing with some screencaps claimed that they had exfiltrated 740 GB of information.
dAn0n did not leak 740 GB of information, but they have already leaked a compressed archive 16.76 GB in size that includes internal documents. A second compressed archive that they leaked is 662 MB in size and includes patient information.
Files in the second archive screened by DataBreaches included surgical booking slips that included patients’ name, address, date of birth, address, parents’ names and information, insurance information, diagnosis, and other medical information. Some files included very sensitive photos with file names or folder names that could link to a specific patient.
Some files viewed by DataBreaches contained more than one patient’s name, such as files with lists of patients with full names and dates of birth. There was no indication in what has been leaked so far that the threat actors accessed any EMR system.
What We Don’t Know
Unable to find any website notice, press release, or submission by PUA to any state regulator or HHS, DataBreaches reached out to PUA via their website to ask about their response to the breach and what appears to be protected health information of minor children. No reply has been received.
With further investigation, DataBreaches discovered that although PUA’s website does not link to NYU Langone, a November 2023 press release from NYU Langone noted they had acquired PUA and its 10 office locations. DataBreaches emailed NYU Langone to ask whether they knew about the alleged attack and whether they could provide any details. No reply has been received.
With both PUA and NYU Langone failing to reply to inquiries, we do not have firm confirmation of what appears to be a reportable breach under HIPAA. Nor do we know the scope of any breach or what the victim entity has done in response.
dAn0n’s Claims
DataBreaches also emailed dAn0n, who was willing to answer some questions. Through the email exchange, DataBreaches was told that dAn0n first gained access to PUA’s network in January 2023 (and no, that was not a typo, they said). dAn0n claims they deployed ransomware on March 23, 2024 and then notified PUA employees by email and WhatsApp on March 26, 2024.
dAn0n would not answer a question about how much they demanded as ransom, but they were willing to state that they used a custom exploit to gain access. According to dAn0n’s spokesperson, PUA never detected them in their network. The hackers no longer have access.
PUA allegedly never responded to dAn0n’s demands or attempted to negotiate with them. DataBreaches asked dAn0n whether they had really contacted any patients or regulators as their leak site listing suggested they might do when victims fail to respond or negotiate. The spokesperson responded “yes,” but did not elaborate and DataBreaches did not have sufficient information to try to confirm that claim.
Tick Tock?
If PUA or NYU Langone PUA was compromised on March 23 and contacted on March 26 and informed they had been hacked and encrypted, why has there been no media statement, substitute notice, or submission by PUA or NYU Langone PUA? That entities do not always comply with notification requirements no later than 60 calendar days from the discovery of a breach is not surprising. But there is no notice anywhere and no response to multiple inquiries.
If dAn0n Hacker Group has told the truth, patients seen at PUA locations are being left in the dark while their protected health information or child’s protected health information has been freely available for months already.
This post will be updated if NYU Langone or PUA respond.