On July 13, DataBreaches reported that the Stormous gang claimed to have exfiltrated 600,000 patients’ records from North Country Healthcare (NCH) in Arizona. At the time they provided a small sample of records in .csv format and indicated that they were going to leak 100,000 records for free and sell the other 500,000 records.
Because DataBreaches was unable to verify that the patient data was real, Stormous responded to this site’s inquiry by providing this site with the 500,000 records database as well as a screenshot allegedly proving access to their system. The larger data sample had the same problems as the smaller sample. DataBreaches could not find people with those names in Arizona, the patient addresses didn’t exist when DataBreaches went to check them, the gender of half of the patients was listed incorrectly (i.e., half of rows with female names were idenitifed as “male,” and half of rows with male names were identified as “female”) and the contact phone numbers were …. screwy — with some area codes not even U.S. area codes.
Stormous later revised their listing to give away the 500,000 data and to claim they would be selling 100,000. They never addressed this site’s reporting that their data wasn’t validated.
Today, NCH sent DataBreaches this statement:
North Country HealthCare is aware of a claim made by a ransomware group on the dark web alleging unauthorized access to patient data. We take any such claim seriously and immediately launched an internal investigation.
At this time, we have found no evidence of a data breach or unauthorized access to our systems. Independent cybersecurity experts have reviewed the data posted and found it to be inconsistent, unverifiable, and likely fabricated.
We are continuing to monitor the situation closely and are working with cybersecurity professionals and law enforcement to ensure the safety and security of our systems and patient information.
We remain committed to transparency and will provide updates if new information becomes available. If you have questions or concerns, please contact us at info@nchcaz[.]org.
So NCH is finding that the data are unverifiable and likely fabricated. That matches what DataBreaches has been reporting all along. But as to the access to their network, they find no unauthorized access while a screenshot provided to DataBreaches might suggest otherwise. DataBreaches does not know whether Stormous or any other threat actor(s) ever sent NCH the screenshot as proof.