Two ransomware groups claimed to have attacked Consulting Radiologists. The notification is silent about any ransom demands.
Consulting Radiologists LTD. (“CRL”)” in Minnesota is a physician-owned practice. On February 12, 2024, they detected suspicious activity on their network. An investigation revealed that an unauthorized actor had accessed certain files and data. Those files contained patient information including name, address, date of birth, Social Security number, health insurance information, and medical information. Small subsets of patients had their Social Security number or driver’s license number impacted, and another small subset included face sheets and imaging reports. The type of information at issue reportedly varied for each person.
CRL posted a notice on their site on June 14, notified regulators, and notified affected patients for whom they had current contact information.
According to their report to HHS on June 14, 583,824 patients were affected. On the same day, they reported the total number affected to Maine as 511,947. They provide no explanation for the discrepancy in numbers and do not explain why so much unencrypted protected health information was connected to the Internet or accessible to criminals.
Additional details and advice to those affected are available in their website notice.
Ransomware Groups Claim Responsibility
CRL’s notification does not indicate who the threat actor(s) were, whether any data were encrypted, or whether there was any ransom demand. A search of ransomware group leak sites finds that LockBit3.0 claimed responsibility for the attack in April 2024 with proof of claims and then updated their listing in May 2024. Qilin also claimed responsibility for the attack in May and also posted proof of claims. Neither group of threat actors appears to have subsequently leaked the data and the listing no longer appears on LockBit3.0.
“Full transparency?”
Whether both groups collaborated or independently attacked CRL is unknown to DataBreaches at this time, but CRL’s notification does not warn patients about the threatened leak of their data. Their notification letter to those affected claims, in part:
Upon learning this, CRL began a time-consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to understand whose information was affected. On April 17, 2024, CRL identified persons whose sensitive data was included within the impacted data. At this time, we have no evidence any of the information has been misused by a third party, but because information related to you was disclosed, we are notifying you out of full transparency.
Perhaps they define “full transparency” differently than DataBreaches does, but if my personal and protected health information was allegedly in the hands of two different Russia-linked criminal groups, I would want to know so that I could assess my risk and take appropriate steps to protect myself.
And no, you are not notifying out of “full transparency.” You are required by law to notify.