The AlphV (aka Blackcat) ransomware group may have disappeared after a law enforcement seizure in December, and then an exit scam by its admin in March, but the impact of some of its breaches continues. While the Change Healthcare breach continues to make headlines, earlier breaches by Blackcat also continue to impact victims.
In July 2023, Highland Health System detected unusual activity in its system. The investigation and determination of who needed to be notified was lengthy. As the Alabama health system discloses in their notification letter of June 13, 2024:
On May 28, 2024, Highland Health Systems engaged a third-party notice vendor to assist with the mailings, call center, and provide identity theft protection services. Thereafter, Highland Health Systems worked to verify the information and addresses for mailing.
So almost one year after first discovering abnormal activity, Highland first sent letters to affected patients. The fact that they notified HHS of the breach in February is important from a compliance perspective, but that didn’t help individual patients who may not have known if they were affected or not until they received an individual letter.
According to its submission to HHS in February and the Maine Attorney General’s Office, 83,543 people were affected by the incident. The template notification letter, submitted to Maine, describes the kind of information involved as varying for individuals, but involving a combination of:
Date of Birth, Social Security Number, Account Number, Payment Card Number, Payment Card PIN, Email Address and Password, Medical Information and Health Insurance Information; Tax ID; Routing Number; and Driver’s License or State ID
Where Are the Data Now?
Highland’s letter indicates that it is not aware of any evidence of misuse of personal information, and they have offered those affected complimentary mitigation services, but what happened to the data Blackcat stole? Did the FBI recover it from a seized server or is any copy still in the hands of any affiliate(s)?
Highland’s letter does not inform patients whether they know what happened to the data. It would be helpful to know.