HCF Management manages a variety of healthcare facilities in Ohio and Pennsylvania, including assisted living, rehabilitation services, long-term care, and hospice services. They are a for-profit organization.
On October 29, 2024, RansomHub added HCF Inc. to its leak site with a claim that they had exfiltrated 250 GB of files. Their listing did not specifically mention whether HCF’s information was encrypted as part of the attack.
It would appear that HCF did not pay any ransom demand that would have been made as RansomHub leaked the data.
HCF Discloses Incident
On or about January 9, HCF facilities started filing reports with HHS and some state regulators. Massachusetts, Vermont, and Maine all received notifications from one or more facilities. Each HCF facility filed its own report as a healthcare provider, but indicated that a business associate was involved.
As of publication, of the 25 locations/facilities HCF lists on its website, only two do not have listings on HHS’s public breach tool: Burton’s Ridge and The Ridge of Lancaster. Whether they each had less than 500 patients affected or reports just have not shown up yet is unknown to DataBreaches, but for the 23 facilities that submitted reports to HHS, a total of 57,927 patients were affected.
In addition to the 23 specific locations, Heritage Health Care, which is HCF Management’s home healthcare service for in-home care in Pennsylvania and Ohio, reported that 12,162 patients were affected, bringing the total number of patients for the incident to 70,089.
The substitute notice posted on one facility’s website explains:
The Manor at Greendale learned that a third party gained access to certain of its management company’s computer systems on October 3, 2024. According to its management company, upon identifying the issue, it took steps to secure its network and engaged a third-party computer forensic firm to assist with its investigation. The management company advised that it determined an unknown, unauthorized third party first gained access to its computer systems on September 17, 2024, and, during that time, accessed and acquired certain documents from those systems. On November 19, 2024, the management company determined the information involved for each individual varied, but may have included residents’ names, addresses, phone numbers, dates of birth, Social Security numbers, medical treatment information, and health insurance information.
DataBreaches has not yet examined any of the data leak to confirm it is all HCF data because it takes days to the large download over Tor, but will update this post if and when we are able to examine it. The fact that HCF disclosed the breach and confirmed it contained PII and PHI suggests that the tranche will have PHI.
But What Didn’t They Disclose?
Reading the sample notification letter submitted to the Maine Attorney General’s Office and a notice posted on one of the facility’s websites, it appears that HCF has not told those affected that this was an incident that involved ransomware or a ransom demand. They do not characterize the incident at all other than unauthorized access with exfiltration. Did they tell the facilities that this was a ransomware incident? And did they tell the facilities that the data has been leaked?
Nobody seems to have told the patients that their personal and protected health information was leaked on the dark web for anyone to download without any password or authentication required (assuming, for now, that RansomHub really did leak all the data they exfiltrated).
DataBreaches called HCF today and asked whether patients have been told about the leak. After initially being told that every one was notified, and asking again whether they were told the data has been leaked, DataBreaches was transferred to another employee and voicemail. DataBreaches left a message specifically inquiring whether patients have been told about the data on the dark web. No reply has been received by publication.