In May, 2024, the threat actors known as BianLian added the Center for Digestive Health in Florida to their dark web leak site. In June, they leaked what they claimed was 2.2 TB of files that they described as:
- A physical and medical history examination.
- Accounting, budget, financial data.
- Contract data and NDA’s.
- Accidents.
- Files from CFO PC.
- Operational and business files.
- Email and msg archives.
That was then. This is now:
On March 6, the Maine Attorney General’s Office posted a breach submission by external counsel on behalf of Gastroenterology Associates of Central Florida, P.A. (dba the Center for Digestive Health). The submission indicated that 122,437 people were affected, and it included a copy of the notification letter being sent to those affected.
The notification stated that on April 11, 2024, the center detected abnormal activity in their IT network. An investigation revealed that an unauthorized individual or individuals had accessed and acquired files with patient information. The information included name, Social Security number, date of birth, and health information. In a notice on its website, the medical practice adds:
While the Clinic is unaware of any fraudulent misuse of your personal information at this time, we are providing you with details about the incident, steps we are taking in response, and resources available to help you protect against the potential misuse of your information. Please be assured that the Clinic takes the protection and proper use of your personal information very seriously.
Yet nowhere do they inform patients that data was leaked on the dark web months ago — or what kind of data was leaked on the dark web. Is any of it protected health information or personally identifiable information of patients?
A check of BianLian’s dark web leak site this week revealed that the listing is still online as are the links to the data dump, but the links to the downloads are not working. Emails were sent to both the center and to BianLian (DataBreaches was unable to reach BianLian via their Tox account). No replies were immediately available, but this post will updated if more information becomes available.