DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Northeast Rehabilitation Hospital Network’s “incident” was a ransomware attack with data leaked, but they haven’t said that.

Posted on July 29, 2024 by Dissent

Northeast Rehabilitation Hospital Network (“NRHN”) is a comprehensive network of physical rehabilitation services that includes four inpatient hospitals and 25+ outpatient rehabilitation clinics. It also provides pain management and specialized pediatric outpatient rehabilitation.

On July 19, NRHN notified the U.S. Department of Health & Human Services (HHS) of a “hacking/IT incident” that affected 501 patients.  The “501” is usually a marker when the entity does not yet know how many were affected, but believes the number is over 500 and requires notification to HHS and affected individuals within 60 calendar days from discovery.

In a substitute notice on its website, NRHN discloses a “data privacy incident.”  It begins:

Northeast Rehabilitation Hospital Network (“NRHN”) is announcing a recent event that may impact the security of information related to certain current or former NRHN patients. Although NRHN presently has no evidence that any such information has been used to commit identity theft or fraud, NRHN is providing information about the incident, steps taken since discovering the incident, and resources available to individuals to help protect their information from possible misuse, should they feel it is appropriate to do so.

What Happened? On or around May 22, 2024, NRHN became aware of suspicious activity affecting certain systems within its network. NRHN immediately launched an investigation to confirm the full nature and scope of the activity.  The investigation determined there was unauthorized access to NRHN’s network between May 13, 2024, and May 22, 2024, and that certain files and folders within the network were or may have been taken without authorization during that time.  NRHN’s investigation to determine the information that may have been present in the potentially affected files is ongoing. NRHN will notify affected individuals identified through the review process and for whom it has address information via letter with additional information.

What Information Was Affected? The investigation into the affected information is ongoing.  The information potentially affected may include a combination of certain individuals’ names, contact information, Social Security numbers, patient identification numbers, medical record numbers, medical information, treatment information, diagnosis information, health insurance information, driver’s license/stated identification numbers, financial account information, and dates of birth.

Can current and former patients decide whether it is “appropriate to” help protect their information from possible misuse when the notice omits critical information?

NRHN’s substitute notice does not tell patients and employees that this was a ransomware attack with encryption of files as well as exfiltration of data.

NRHN’s substitute notice does not disclose that data has already been leaked on clearnet and dark web leak sites.

This Was  a Ransomware Incident

DataBreaches’s investigation discovered that this incident was a ransomware attack by the group called Hunters International. They claim to have exfiltrated more than 410 GB of data, comprised of more than 352,000 files.

The listing by Hunters International appears to have been added to their leak site on July 18, 2024. Image: DataBreaches.net.

Inspection of the available data suggests that some of it is old and some is current. Although it is not clear how much patient data the threat actors may have acquired because the entire file tree did not open, NRHN’s substitute notice suggests that patient data was stolen.

The file tree for “All Data” contains folders for Admissions, Clinical, Hospitality, HumanResource, and Pediatrics.

  • The portion of the Admissions folder that was accessible did not contain any patient admission databases but did contain a folder with completed forms to correct patients’ medical record numbers.
  • The Clinical folder contained more than 300 GB of the 410 GB the threat actors claim to have acquired. There appear to be more than 148,000 files in the Clinical folder, but as noted above, neither the full tree nor all files were accessible at the time DataBreaches attempted to determine what kinds of files the threat actors acquired.
  • The small portion of the Pediatrics folder that was viewable contained internal documents and one patient evaluation report.
  • The portions of the Human Resources folder that were viewable included some personnel data on a limited number of employees, including 401K information, termination benefits, and W-2 data.  NRHN’s substitute notice does not mention that employee data may have been acquired.
The first part of the file tree for the Clinical folder contained more internal documents and not any patient databases. The remainder of the file tree was not accessible. Image: DataBreaches.net.

Because Hunters International does not provide contact information for journalists, DataBreaches was unable to contact them to ask about other data. Of note, however, the listing on the leak site has a small section for “Requested Files,” which may mean that Northeast Rehabilitation Hospital Network attempted to negotiate or contact the threat actors and requested proof that files could be decrypted.
Hunters recently announced that they had updated their encryption/decryption software to v5.0.0.

What is NRHN Doing in Response to This Breach?

NRHN’s substitute notice states:

NRHN takes this incident and the security of information in their care very seriously. Upon becoming aware of this incident, NRHN promptly commenced an investigation to confirm the nature and scope of this incident. This investigation and response included confirming the security of our systems, reviewing the contents of relevant data for sensitive information, and investigating to determine the information that may be involved. NRHN also notified federal law enforcement. As part of NRHN’s ongoing commitment to the privacy of information in their care, NRHN is reviewing its policies, procedures and processes to reduce the likelihood of a similar future event. NRHN will also notify applicable regulatory authorities where necessary.

We have heard that before from them.

This is Not NRHN’s First Cyberattack

In  November 2021, NRHN reported a “hacking/IT incident” to HHS that affected 500 patients (another marker).  The unauthorized access occurred between September 30, 2021 and October 5, 2021. NHRN notified HHS in November 2021, published a substitute notice on its site, and notified major media in the area. In August 2022, they filed a report with the Maine Attorney General’s Office that indicated that a total of 190,220 people were affected by the incident. The types of information affected included name, address, date of birth, driver’s license, Social Security number, and financial account information. It wasn’t until August 2022 that they sent individual notification letters. In the letter, they informed recipients what they were doing in response to the breach:

We take this incident and the security of personal information in our care very seriously. Upon discovery, NRHN immediately took steps to ensure the security of our systems and investigate the event. Notice of the event was provided to local and national media outlets and posted on the Northeast Rehabilitation website. As part of our ongoing commitment to theprivacy of information in our care, we have implemented additional technical security measures to strengthen the security of our systems. We also have reviewed and enhanced existing data privacy policies and procedures. We immediately notified the FBI and other regulatory bodies of this incident and are updating additional agencies as required.

And yet here we are again?

A check of HHS’s public breach tool shows that there has been no update to their 2021 submission to HHS for the number affected. DataBreaches does not know whether NRHN submitted an updated figure to HHS but HHS just hasn’t entered it, or if none has been submitted. DataBreaches could determine, however, that HHS has not closed its investigation into the 2021 breach. There is no closing statement in the breach tool for that incident.

So now there have been two cyberattacks and we do not know how either one occurred or what security measures NRHN had in place before either of them.

DataBreaches does not know whether HHS will combine any investigation into this newest incident with any previous or ongoing investigation.

Putting the Question to NRHN

DataBreaches emailed NRHN to ask three questions:

  1. How did attackers gain access in 2021 and how did attackers gain access in 2024? Was this the same vulnerability or weakness in security?
  2. How many patients were affected in this latest incident?
  3. Why should patients have confidence in NRHN to protect their data after two breaches? What will NRHN do to really lock down data or protect it better?

No reply has been received by publication.

 

 

Category: Commentaries and AnalysesHealth DataMalwareOf NoteU.S.

Post navigation

← UAB study postcard discloses patient information
Curbing liabilities for hacked health systems →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach
  • Hacker who breached communications app used by Trump aide stole data from across US government
  • Massachusetts hacker to plead guilty to PowerSchool data breach (1)
  • Cyberattack brings down Kettering Health phone lines, MyChart patient portal access (1)
  • Gujarat ATS arrests 18-year-old for cyberattacks during Operation Sindoor
  • Hackers Nab 15 Years of UK Legal Aid Applicant Data
  • Supplier to major UK supermarkets Aldi, Tesco & Sainsbury’s hit by cyber attack with ransom demand

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy
  • Massachusetts Senate Committee Approves Robust Comprehensive Privacy Law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.