On March 19, 2024, DataBreaches reported a ransomware attack targeting New York Plastic Surgical Group (a division of Long Island Plastic Surgical Group). According to one of the threat actors involved, the attack occurred on January 7 and involved both RADAR and AlphV (BlackCat) groups working together — AlphV to encrypt files and negotiate the ransom and RADAR to exfiltrate the files.
When NYPSG wouldn’t pay, the threat actors leaked the data on LockBit’s dark web leak site.
Unbeknownst to many people, that data leak was also accessible on a server that Radar-Dispossessor threat actors appeared to use to store data tranches. DataBreaches became aware of that server in July and reached out to the hosting company on July 11 to get them to remove it or lock it down. On July 29, they informed DataBreaches that they had deleted the files and closed the account for violations of terms of service. On August 12, the FBI announced the disruption of Radar-Dispossessor and seizure of their servers in three countries.
Nine months after the breach, NYPSG sends notification letters
On October 4, NYPSG began sending notification letters to affected patients. The letter stated that they had discovered unauthorized to their network between January 4 and January 8, 2024. Their letter makes no mention that this was a ransomware incident and that files were leaked by the threat actors in March and remained publicly available for months.
What their letter does say, in part, is that:
Based on our comprehensive investigation and document review, which concluded on September 15, 2024, we discovered that a limited amount of personal information was removed from our network in connection with this incident, including full names and one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, passport numbers, financial account information, biometric information, medical information, clinical photograph(s), and/or health insurance policy information.
Despite the concerning types of information and potential for misuse, NYPSG writes, “To date, we are not aware of any reports of identity fraud or improper use of any information as a direct result of this incident. Out of an abundance of caution, we provided written notification of this incident commencing on or about October 4, 2024, to all those potentially impacted to the extent we had a last known home address.”
Once again, DataBreaches notes that suggesting that notification is being made “out of an abundance of caution” is misleading rubbish when the entity is required by federal regulations (HIPAA) and/or state laws to notify those affected.
Late Notification?
Not only was NYPSG’s written notice to individuals late, but the incident still has not shown up on HHS’s public breach tool. HIPAA requires entities to notify HHS of reportable breaches affecting more than 500 patients no later than 60 calendar days from the discovery of the breach. Even if one takes the lenient approach of saying NYPSG first discovered the breach in March (the threat actors had clai)med that NYPSG knew about it in January), notice to HHS would have been due in May. Did NYPSG notify HHS, but HHS just hasn’t posted it publicly yet, or didn’t they notify HHS timely? And if they didn’t notify HHS in a timely fashion, will HHS OCR do anything about the late notification, given that the entity knew by March (at the latest) that PHI had been stolen and was being leaked publicly?
In any event, we do not yet know how many patients, total, were affected by this incident.
Wait, what’s this??
In an unwelcome surprise, DataBreaches’ husband received one of those notification letters in the mail yesterday. The letter, which was not signed by any individual at all, stated that his name, Date of Birth, Medical Information, Health Insurance Information, and Patient Account Number were removed from their network as part of an incident that occurred between January 4 and January 8.
As far as he knows, my husband was never a patient of theirs. So how did they get all that information on him?
Of course, DataBreaches’ husband is not the first person to ever receive a breach notification yet have no idea how or why the entity had their information, but this was the first time he ever received a breach notice involving his medical information. Had someone used his information to get medical care from NYPSG/LIPSG without his knowledge? Had he just forgotten he was a patient there, but if so, when was he a patient? And for what was he seen or treated? And what health insurance information was involved? Was it an old policy or his current one?
Puzzled and concerned, he called the “dedicated and confidential” response line to ask how the medical group got his information, and what information they had. The call center employees had no idea of either answer, of course. When he asked them who he should call or contact to find out how/why they had his information and what information they had, the call center employees had no idea about that either, of course.
Today he is mailing them a certified letter requesting answers to four questions plus a request for his his medical records. The latter request is under HIPAA’s provision for access to medical records. They are required to provide them within 30 calendar days of receipt of the request but can grant themselves an extra 30 days if they can justify the delay. It seems to be one way to figure out what the threat actors acquired so that he can better assess his risk.
Updated October 15, 2024
On October 14, the HIPAA Compliance Officer for NYPSG called to answer the questions put to them. She stated he was seen in a county hospital emergency room six years ago by someone who was a physician assistant for NYPSG/LIPSG. The hospital contracted with them for services in some departments. According to the HIPAA Compliance officer, that physician assistant would have told him at the time that the physician assistant was with NYPSG, but he has no recollection of ever being told that.
The Compliance Officer also told him specifically which health insurance plan they had on file for him. Part of that information is still valid, which means he needs to remain alert for possible medical identity theft by checking any Explanation of Benefits statements he receives in the future from any entity.
NYPSG is mailing him a copy of the records they hold on him. The HIPAA Compliance Office informed him that their EMR system was not hit. The attackers got scanned files.
This experience is a useful reminder that if you don’t know how an entity got your PII or PHI or what they got, send a letter asking for details and a copy of your medical records as a HIPAA request. Not all healthcare entities are covered by HIPAA, but those that are will be obligated to respond in a timely fashion.
Why records from six years ago like his were not encrypted at rest is a question that HHS OCR might want to ask, but kudos to NYPSG/LIPSG for their prompt response to the patient’s inquiry about their breach notification.
Updated October 16: A total of 161,707 patients were affected by this breach, as reported to HHS on October 4, but first posted publicly today.