On September 6, The Physical Medicine & Rehabilitation Center posted a substitute notice on its website about an incident in July that affected patients at their New Jersey and New York locations.
The attack by Meow Leaks reportedly resulted in the threat actors accessing some protected health information (PHI) of an undisclosed number of patients. The PHI included name and one or more of the following: address, phone number, email address, date of birth, Social Security number, drivers license/state ID number, credit/debit card number, treatment/diagnosis information, prescription information, provider name, medical record number, date of service, patient ID, Medicare/Medicaid number, treatment cost information, health insurance policy number, health insurance claim number, and health insurance information.
PMRC notes that it notified law enforcement and is offering those affected access to credit monitoring and identity protection services as an added precaution. Employee data was also included in this breach.
What its notice doesn’t mention is that the threat actors did more than just “access” PHI. They removed a copy of some data– allegedly 40 GB of files with PHI and PII, some of which they leaked as proof when PMRC did not pay their demands.
SuspectFile has a lot more information about this incident and was given exclusive access to review some of the files Meow Leaks acquired. They were also shown some of the negotiations between PMRC and Meow Leaks, emails that reveal that PMRC was also contacted by impostors who claimed to be the attackers and attempted to get PMRC to pay them.
Somewhat surprisingly, the ransom demand was $15,000, but PMRC did not pay even that relatively small amount.
Their refusal to pay ransom is commendable from the perspective that we don’t want to reinforce and encourage more attacks, but how will PMRC’s patients react if they learn that their sensitive personal information leaked on the internet or was sold to other criminals because their doctors wouldn’t pay $15,000 to protect their data from disclosure? Of course, there is no guarantee that criminals will really keep their word about deleting data if they are paid, but how will patients react to this, and if there is a potential class action lawsuit, what will that cost the practice financially and in goodwill or trust?
As of publication, the data are for sale on the dark web. If someone want to be the sole purchaser, the price is $15,000. If the sale is nonexclusive, the price is $5,000. It is not clear what will happen if there are no purchasers.
Read more at SuspectFile.