On December 6, 2023, the Medusa Blog added ACCU Reference Medical Laboratory to their leak site with some screenshots as proof of claims. Claiming to have 1.2 TB of data, Medusa demanded $1 million to delete or download the data. When no payment was forthcoming, they leaked the data on their website and Telegram channel on January 2, 2024.
That incident never appeared on HHS’s public breach tool.
Second Cyberattack
On July 10, the Qilin ransomware group claimed an attack on Accu Reference.
Qilin claims to have acquired the data on July 1, and disclosed the incident on July 10 on their darkweb leak site with 12 screenshots. The majority of the screenshots contained unredacted protected health information of patients. Inspection of the proof revealed recent files, so this does not appear to be just a re-listing of older data from the 2023 incident. The Qilin listing does not indicate the number of files or amount of data they claim to have exfiltrated. Nor do they indicate whether they have encrypted the lab’s files or systems.
DataBreaches sent a contact form inquiry and email yesterday to Accu Reference, asking whether they had ever reported the 2023 incident to HHS, and if so, could they provide a copy of any notification or substitute notice. The inquiry also asked what they were doing in response to what appears to be a second incident. No reply has been received by publication.