DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Carolina Arthritis hit by ThreeAm ransomware attack

Posted on October 25, 2024 by Dissent

On Thursday morning, ThreeAM added Carolina Arthritis to its leak site. Some ransomware groups add a listing, post some claims and a few screencaps, and then give the entity a deadline to pay up, or they leak a bit of data and then give the entity a final deadline. ThreeAM doesn’t seem to work that way. Within hours of posting the listing with a note that files would follow soon, they leaked all of the data they had exfiltrated from the medical practice.

A listing by ThreeAM indicates that data exfiltrated from Carolina Arthritis was dumped on October 24. Image: DataBreaches.net

ThreeAM provided DataBreaches with some additional details about the incident, including a file list showing what was exfiltrated. They also told DataBreaches that the attack was on September 27 and that they had encrypted the medical practice’s files.

In response to a query about how much data they acquired, their spokesperson responded that a lot of documents that should be protected under HIPAA were uploaded. The protected health information (PHI) included personal information (including that of one of the physicians), medical histories, medical records, test results, and more.

DataBreaches asked whether there had been any response from Carolina Arthritis to ThreeAM’s demands or any negotiations. ThreeAM replied that there had been some negotiation with Dr. Harris, but it turned out to be a waste of their time. They decrypted a few files as proof of their ability to decrypt files, and when Dr. Harris reportedly asked them to extend the timer to pay, ThreeAM claims they agreed to give them more time. But Dr. Harris reportedly never made any counteroff to their demand, only asking that they be “more reasonable,” because they didn’t have the money to meet the threat actors’ demands. That response did not sit well with ThreeAm, it seems, as they had found the doctor’s retirement account statement in the files and could see that the doctor had a very hefty retirement balance. (ThreeAM did not reveal the amount of their initial demand, and DataBreaches is not revealing the bank statement showing the doctor’s retirement account, a copy of which was provided to this site).

Inspection of the file list provided to DataBreaches revealed that there were many internal business records on Carolina Arthritis’s Z: drive, including some employee data such as payroll, tax information, 401k, and other benefits information. Much of it went back years, but since SSN and other identity information may not change, people will have to be notified. The internal documents also contained a number of files with computer usernames and passwords. DataBreaches hopes that none of it is current data and that the practice didn’t reuse passwords or they may have another big item on their incident response to-do list.

More than 20 years of files will have to be reviewed to figure out who needs to be notified and what types of information were involved for them.

Carolina Arthritis did not respond to inquiries submitted via its site yesterday morning. Nor did it respond to inquiries submitted yesterday afternoon asking whether the attack had impacted patient care at all and if they had a usable backup for any patient files that may have been encrypted. While  it does not appear that ThreeAM accessed the EMR system, even old scanned files can be important in patient care to compare how a patient was doing years ago to how they are doing now.

This post will be updated if Carolina Associates replies or more information becomes available.

Category: Health DataMalwareU.S.

Post navigation

← Indian court tells Star Health to share details of leak so Telegram can delete chatbots
American creating deepfakes targeting Harris works with Russian intel, documents show →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.