DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Carolina Arthritis hit by ThreeAm ransomware attack

Posted on October 25, 2024 by Dissent

On Thursday morning, ThreeAM added Carolina Arthritis to its leak site. Some ransomware groups add a listing, post some claims and a few screencaps, and then give the entity a deadline to pay up, or they leak a bit of data and then give the entity a final deadline. ThreeAM doesn’t seem to work that way. Within hours of posting the listing with a note that files would follow soon, they leaked all of the data they had exfiltrated from the medical practice.

A listing by ThreeAM indicates that data exfiltrated from Carolina Arthritis was dumped on October 24. Image: DataBreaches.net

ThreeAM provided DataBreaches with some additional details about the incident, including a file list showing what was exfiltrated. They also told DataBreaches that the attack was on September 27 and that they had encrypted the medical practice’s files.

In response to a query about how much data they acquired, their spokesperson responded that a lot of documents that should be protected under HIPAA were uploaded. The protected health information (PHI) included personal information (including that of one of the physicians), medical histories, medical records, test results, and more.

DataBreaches asked whether there had been any response from Carolina Arthritis to ThreeAM’s demands or any negotiations. ThreeAM replied that there had been some negotiation with Dr. Harris, but it turned out to be a waste of their time. They decrypted a few files as proof of their ability to decrypt files, and when Dr. Harris reportedly asked them to extend the timer to pay, ThreeAM claims they agreed to give them more time. But Dr. Harris reportedly never made any counteroff to their demand, only asking that they be “more reasonable,” because they didn’t have the money to meet the threat actors’ demands. That response did not sit well with ThreeAm, it seems, as they had found the doctor’s retirement account statement in the files and could see that the doctor had a very hefty retirement balance. (ThreeAM did not reveal the amount of their initial demand, and DataBreaches is not revealing the bank statement showing the doctor’s retirement account, a copy of which was provided to this site).

Inspection of the file list provided to DataBreaches revealed that there were many internal business records on Carolina Arthritis’s Z: drive, including some employee data such as payroll, tax information, 401k, and other benefits information. Much of it went back years, but since SSN and other identity information may not change, people will have to be notified. The internal documents also contained a number of files with computer usernames and passwords. DataBreaches hopes that none of it is current data and that the practice didn’t reuse passwords or they may have another big item on their incident response to-do list.

More than 20 years of files will have to be reviewed to figure out who needs to be notified and what types of information were involved for them.

Carolina Arthritis did not respond to inquiries submitted via its site yesterday morning. Nor did it respond to inquiries submitted yesterday afternoon asking whether the attack had impacted patient care at all and if they had a usable backup for any patient files that may have been encrypted. While  it does not appear that ThreeAM accessed the EMR system, even old scanned files can be important in patient care to compare how a patient was doing years ago to how they are doing now.

This post will be updated if Carolina Associates replies or more information becomes available.

Category: Health DataMalwareU.S.

Post navigation

← Indian court tells Star Health to share details of leak so Telegram can delete chatbots
American creating deepfakes targeting Harris works with Russian intel, documents show →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.