As some will likely have already noticed, Daixin Team released the second part of the data leak from five hospitals in Ontario that have IT services provided by TransForm SSO. The first leak, containing many patient records, was previously reported by DataBreaches on November 1.
Skimming the second tranche, DataBreaches noted a lot of internal hospital files such as forms and administrative matters. There were some files with employee information, and in that regard, DataBreaches was pleased to observe that some files that likely had sensitive employee-related information like disciplinary matters were password-protected.
DataBreaches also noted that this tranche also contained patient data, but not the kinds of scanned files as in the first tranche. This tranche included records concerning COVID-19 vaccinations with patients’ names, dates, and in some cases, a bit of their reactions or history to vaccinations. Other patient-related files that DataBreaches noted involved named patients’ medications and suggestions for medications. Those files, in the form of worksheets and suggestion documents included the patients’ names, diagnoses, dates, names and doses of medications, and comments related to the medication regimen for the patient.
DataBreaches did not go through all the files so there may be other files with patient information or employee information in addition to what is described above.
According to Daixin’s listing for this incident, there are more data to be leaked. Unlike some ransomware groups that threaten to leak immediately and then do not, Daixin Team has been extremely consistent — once they start to leak — and they start to leak as soon as a deadline passes — they don’t wait a long time between the leaks. Based on their pattern, DataBreaches expects to see the third leak and then the databases dump within days. As they say, the full leak will be soon.
But that said, DataBreaches notes that the “full leak” may not actually include all of the data they acquired. According to statements made to DataBreaches today by their spokesperson, they have been considering different strategies for dealing with victims who do not pay, and they may be selling some of the data rather than leaking it. When asked whether they would sell the data on a forum or market, they indicated that it would be a bulk sale to data brokers who can resell it to scammers and other groups.
“Where the data will be sold to, I don’t know,” they told DataBreaches. “Brokers will receive it directly from us, and then it is no longer our concern.”
Whether Daixin will actually follow through on this is unknown to DataBreaches, and from their description, DataBreaches would likely have no way to verify any such sale unless someone later provided this site with data or proof of sale.
Would Daixin just say that to try to pressure victims into paying? Perhaps, but that ship has already sailed for TransForm and these hospitals. Perhaps it’s being said now for the benefit of future victims to consider. DataBreaches really doesn’t know, but will continue to monitor this situation.