Although DataBreaches does not report on all incidents involving U.S. healthcare entities, a log is kept to calculate statistics for the annual Breach Barometer report produced by Protenus, Inc. For the month of July, DataBreaches noted the following six U.S. hospitals disclosed breaches or were claimed as victims by threat actors. Some of these incidents have pretty much flown under the media radar. In addition to these six, two other hospitals had breaches reported by Medibase stemming from a January breach (Staten Island Hospital in New York, and Self Regional Healthcare in South Carolina).
Fairfield Memorial Hospital
Fairfield Memorial Hospital in Illinois was added to LockBit3.0’s leak site on July 1. Four images were provided as proof of claims. Two of the four images contained protected health information of patients. DataBreaches emailed Fairfield on July 2 about the claimed attack but received no reply. The next day, however, the hospital posted a notice on their website that said that they had recently discovered suspicious activity and responded quickly to secure the network and investigate. Their notice provides no details at all about what types of information were involved or what they have found so far. Nor does their notice mention that this was a ransomware attack claimed by LockBit3.0 or that they have been threatened with having data leaked if they do not reply by August 10.
Hospital Auxilio Mutuo
Hospital Español Auxilio Mutuo (Hospital Auxilio Mutuo) in Puerto Rico notified HHS on July 13 of a network incident affecting 500 patients. Their submission indicated that no business associate was involved. There is nothing on its website about any incident at this time, but on July 15, News is my Business reported that the hospital discovered unauthorized access to its network in September and that experts, including outside counsel and IT forensic specialists, were hired to determine the cause and extent of the incident.
The investigation was reportedly still ongoing, and the hospital stated, “We have concluded that a limited amount of personal information may have been removed from our network in connection with the incident, including full names and one or more of the following: medical records, diagnostic information, and other data related to patient care.”
The hospital added that it does not have any “evidence that any information has been exfiltrated or misused,” but is encouraging people to check their personal information by monitoring their credit reports and financial statements, and reminded that they are entitled to a free credit report every 12 months from each of the three nationwide credit bureaus.
So 10 months after discovering a breach, the hospital first notified HHS and still hasn’t notified everyone?
DataBreaches has not found any group claiming responsibility for this attack and emailed the hospital to ask for more information, but no reply has been immediately received.
Northeast Rehabilitation Hospital Network
Neuro Rehab Associates, Inc. d/b/a Northeast Rehabilitation Hospital Network (NRHN) in New Hampshire notified HHS on July 19 that 501 patients were affected by a network incident. DataBreaches provided additional details on the May ransomware attack, including details that NRHN did not disclose.
Millinocket Regional Hospital
Millinocket Regional Hospital (MRHME) in Maine has no notice on its website or Facebook page about any cyberattack or incident. Nor have they reported anything to HHS’s public breach tool. On July 25, RansomHub threat actors added the hospital to their leak site. They provided no proof of claims while claiming to have exfiltrated 10 GB of files. There doesn’t seem to have been any media coverage on this alleged breach. On follow-up check today, the listing no longer appears on RansomHub and is not in RansomHub’s archive of leaks. Was there really a breach? Did the hospital pay a ransom demand or is there some other explanation for the listing disappearing? DataBreaches emailed MRHME to inquire, but has received no reply by publication.
Delhi Hospital
Delhi Hospital (also known as Richard Parish Hospital) in Louisiana was added to the RADAR and DISPOSSESSOR’s (“R&D”) leak site on July 29. The hospital did not respond to DataBreaches’ email and contact form inquiries sent on July 29. R&D, however, agreed to provide DataBreaches with a file list showing what they claimed to have acquired and a video showing parts of chat negotiations. They also offered to provide DataBreaches with any files requested as proof.
According to the chat records provided to DataBreaches, R&D reached out to the hospital on June 16 to announce the attack and to make contact for negotiations. Someone claiming to represent management for the hospital responded and handled negotiations for the hospital. The log shows that R&D initially demanded $350,000 in BTC for a decryptor and to delete all files. Negotiations did not go smoothly, stalling, in part, because R&D would not agree to provide the hospital with a complete file list showing everything they had acquired. By the end of the month, the hospital claimed to have only $25,000 on hand and was still trying to get a complete file list from R&D.
R&D did drop their price to $250k but wanted it paid within 24 hours. That did not happen. The hospital claimed that they were seeking a loan from their bank but would not pay R&D anything without a full file list so that they could see whether R&D had acquired anything important that would be worth paying for.
The negotiations were never concluded.
Looking at the file list provided to this site, most of the files seemed like internal documents and not EMR or HR databases, but some filenames suggested that they might contain protected health information (PHI). DataBreaches requested one of those files and found that the .csv file contained approximately 24,000 records with patient ID number, patient first and last name, the service department (e.g., emergency room, sleep study, hospital outpatient), date of service, type of health insurance (self-pay or name of insurer and type of plan), unpaid debt, and claim ID.
As suggested by the repeated patient ID numbers in the figure above, the 24,000 records do not represent 24,000 unique patients because many patients had more than one claim with associated debt.
Having determined that the threat actors had acquired at least some patient information, DataBreaches did not request any additional files but emailed the hospital’s negotiator on August 5 to ask what the hospital had done in response to the breach. No reply was immediately available.
Schneider Regional Medical Center
Schneider Regional Medical Center in the Virgin Islands was added to Qilin’s leak site on July 31 with this claim:
The company Schneider Regional Medical Center was attacked by us, all infrastructure of the network was blocked. There were stolen the data, among which confidential information, private contracts, agreements, financial documentation, e-mail …
Qilin provided no proof of claims.
On July 23, the hospital announced it was being assisted by local and federal authorities in investigating the breach that occurred on July 21. In testimony to legislators, the hospital reported that they were in pretty good shape, having implemented a disaster plan and downtime procedures.
Qilin has not updated its listing since July 31.
Updated October 21: On October 7, Schneider Regional Medical Center notified HHS that 1,570 patients were affected by a breach. DataBreaches was unable to connect to Qilin’s leak site to determine if they had taken any further action on the data since July.
McLaren Health Care Confirms Cyber Attack, Raising Concerns of Possible Data Breach
Yes, that’s in my August worksheet. It looks to be by INC Ransom.