On September 15, INC Ransom added OnePoint Patient Care to its leak site. The threat actors claimed to have encrypted the hospice dispensing pharmacy and pharmacy benefits management service’s files. It wasn’t long after that INC leaked all of the data.
The Arizona-based provider notified HHS of the incident on October 14, reporting that 795,916 patients had been affected.
A substitute notice on OnePoint’s site indicates that the incident had no impact on its operations. In a letter to patients, a copy of which was provided to the California Attorney General’s Office, OnePoint states that the attack occurred between August 6 and August 8, and was first detected on August 8.
“While we have no reason to believe that your information has been misused for the purpose of committing fraud or identity theft, we are writing in accordance with relevant law to advise you about the incident and to provide you with guidance on what you can do to protect yourself, should you feel it is appropriate to do so,” they write. The types of information involved included the patient’s name, address, residence information, medical record number, diagnosis, Social Security number, and prescription information.
“While we are uncertain that your personal information was obtained,” they add, “out of an abundance of caution, we are notifying you of that potential.” They do not reveal whether they obtained and reviewed the entire data tranche, which might have confirmed whether patients’ data was obtained or not.
But would patients feel “it is appropriate” to take steps to protect themselves if they knew their data had been leaked and may be in an untold number of hands? Nowhere in its letter does OnePoint reveal if this was a ransomware attack and if the data was leaked because they didn’t pay the ransom. The notification is totally silent about any encryption or ransom demand, neither denying nor confirming what INC’s site suggests.
DataBreaches is not suggesting that OnePoint should have paid any ransom demand, but DataBreaches thinks covered entities should inform patients when their data has actually been leaked or put up for sale as a result of an incident.