In October 2023, Carespring Health Care Management was the victim of a ransomware attack. It was not announced on its website, but in November, Carespring was listed on the NoEscape ransomware gang’s site. At the time, the threat actors claimed they had encrypted Carespring’s files and exfiltrated 364 GB of files.
The incident never appeared on HHS’s public breach tool.
On August 16, Carespring reported the incident to the Maine Attorney General’s Office and submitted a sample notification letter.
The submission says, in part:
On October 28, 2023, Carespring expe1ienced a network secmity incident that impacted some operations.
Upon learning of this issue, we immediately commenced a prompt and thorough investigation working ve1y closely with external cybersecmity professionals expe1ienced in handling these types of incidents to dete1mine whether there was any unautho1ized access to protected information. After an extensive forensic investigation and document review, we discovered on July 16, 2024, that between October 12, 2023 and October 30, 2023, a limited amount of info1mation stored on our network may have been accessed and/or acquired by an unauthorized individual.
Their submission says nothing about any ransomware or any ransom demands. Nor does it mention whether any data was leaked on the dark web.
Carespring reported this incident to Maine as affecting 76,719 people, total.
Carespring Attack Claimed by Two Other Groups Too?
Since the NoEscape breach, Carespring was also subsequently claimed by two other groups: Hunters International in February 2024, who appears to have claimed and leaked 391.4 GB of files, and LockBit3.0 in May, who have provided no proof or specific claims as yet.
Was the Hunters International data the same as the data acquired by NoEscape, or was it different? Should Carespring have told people about the Hunters International data leak? Do they have an unrelated incident that also requires incident response?
And what about the claims on LockBit3.0? Are those old data from NoEscape or is this yet another breach?
DataBreaches emailed two executives from Carespring yesterday to inquire, but no reply has been received.
This incident does not appear on HHS’s public breach tool unless it was submitted under some name other than Carespring.
Update: The incident has been reported to HHS as affecting 64,609 patients. As of August 22, Carespring has still not replied to inquiries from this site.