On June 18, Gramercy Surgery Center in New York discovered it might have been the victim of a cyberattack attack. It had been, and DataBreaches recently reported that the threat actor(s) known as Everest Team leaked more than 460 GB of files they claimed to have exfiltrated. Neither Gramercy Surgery Center (GSM) nor Everest responded to email inquiries.
Since that report, DataBreaches has begun examining some of the leaked data from three parts of the multi-part leak. One part contained accounting files and data from 2020 and 2021. While they contain internal and financial documents that might be of interest or potential misuse, the other two parts confirmed this site’s impression that Everest acquired a lot of patient data.
With respect to patient data, almost all of the files with patient data that DataBreaches has found so far are individual .pdf files that are scans of other files, including scans of files that had handwritten notes. A few .csv files contain patient data going back to 2004 and 2005 dates of service for accounts that were sent to collection years ago.
Password protection, or lack thereof
DataBreaches was initially pleasantly surprised to find that many of the first folders that DataBreaches checked appeared to be password-protected. Unfortunately, further inspection of more files and folders revealed that there was a folder named “Password – [****].” Yes, the password for all of those password-protected patient files was a simple four-letter common noun that was given in a folder name.
Of course, even if they had not conveniently listed the password in a folder name, a simple password recovery program or tester would have discovered it quickly.
So not all folders with patient files required a password, and the ones that did generally all used the same simple four-letter common noun word as their password. The IT department seemed to have a strong password for its files that contained password lists, but a file for credentialing passwords was unprotected in a folder on credentialing. That file contained a username, password, security questions and answers, as well as full credit card information with expiration date and cvv code.
What was in the patient files?
Everything: patient demographic information such as name, address, phone number, email address, Social Security number, entire medical history, pre-surgical, surgical, and post-surgical notes and records, billing and health insurance information, and information on accounts from 2004 and 2005 appointments that were sent for collection.
Some patient files consisted of dozens of pages of records. Not everyone had the same types of information, but all of the patient-related files had protected health information.
Among the files that were not even password-protected, DataBreaches saw folders with pathology reports, operative reports, cancer reports, and responses to subpoenas and other records. There is also a folder called “HIPPA” (sic). All of the files in that folder have patient names as the filenames with “HIPPA” after the name.
What next?
DataBreaches has not yet downloaded all of the leaked data but it is clear that GSM faces a significant challenge in terms of data breach review to determine who they need to notify and exactly what types of information each person had in records. It is not surprising that GSM has yet to submit a report to HHS. When they do, we may see a “500” marker for a while.
Will employees and providers also need to be notified? DataBreaches does not yet know for sure, although some provider information has already been found in the leaked data.
Updated: The incident was reported to HHS on August 9 as affecting 50,554 patients.
Great thanks to Marco A. De Felice of SuspectFile.com for his help downloading the data.