Northeast Rehabilitation Hospital Network (“NRHN”) is a comprehensive network of physical rehabilitation services that includes four inpatient hospitals and 25+ outpatient rehabilitation clinics. It also provides pain management and specialized pediatric outpatient rehabilitation.
On July 19, NRHN notified the U.S. Department of Health & Human Services (HHS) of a “hacking/IT incident” that affected 501 patients. The “501” is usually a marker when the entity does not yet know how many were affected, but believes the number is over 500 and requires notification to HHS and affected individuals within 60 calendar days from discovery.
In a substitute notice on its website, NRHN discloses a “data privacy incident.” It begins:
Northeast Rehabilitation Hospital Network (“NRHN”) is announcing a recent event that may impact the security of information related to certain current or former NRHN patients. Although NRHN presently has no evidence that any such information has been used to commit identity theft or fraud, NRHN is providing information about the incident, steps taken since discovering the incident, and resources available to individuals to help protect their information from possible misuse, should they feel it is appropriate to do so.
What Happened? On or around May 22, 2024, NRHN became aware of suspicious activity affecting certain systems within its network. NRHN immediately launched an investigation to confirm the full nature and scope of the activity. The investigation determined there was unauthorized access to NRHN’s network between May 13, 2024, and May 22, 2024, and that certain files and folders within the network were or may have been taken without authorization during that time. NRHN’s investigation to determine the information that may have been present in the potentially affected files is ongoing. NRHN will notify affected individuals identified through the review process and for whom it has address information via letter with additional information.
What Information Was Affected? The investigation into the affected information is ongoing. The information potentially affected may include a combination of certain individuals’ names, contact information, Social Security numbers, patient identification numbers, medical record numbers, medical information, treatment information, diagnosis information, health insurance information, driver’s license/stated identification numbers, financial account information, and dates of birth.
Can current and former patients decide whether it is “appropriate to” help protect their information from possible misuse when the notice omits critical information?
NRHN’s substitute notice does not tell patients and employees that this was a ransomware attack with encryption of files as well as exfiltration of data.
NRHN’s substitute notice does not disclose that data has already been leaked on clearnet and dark web leak sites.
This Was a Ransomware Incident
DataBreaches’s investigation discovered that this incident was a ransomware attack by the group called Hunters International. They claim to have exfiltrated more than 410 GB of data, comprised of more than 352,000 files.
Inspection of the available data suggests that some of it is old and some is current. Although it is not clear how much patient data the threat actors may have acquired because the entire file tree did not open, NRHN’s substitute notice suggests that patient data was stolen.
The file tree for “All Data” contains folders for Admissions, Clinical, Hospitality, HumanResource, and Pediatrics.
- The portion of the Admissions folder that was accessible did not contain any patient admission databases but did contain a folder with completed forms to correct patients’ medical record numbers.
- The Clinical folder contained more than 300 GB of the 410 GB the threat actors claim to have acquired. There appear to be more than 148,000 files in the Clinical folder, but as noted above, neither the full tree nor all files were accessible at the time DataBreaches attempted to determine what kinds of files the threat actors acquired.
- The small portion of the Pediatrics folder that was viewable contained internal documents and one patient evaluation report.
- The portions of the Human Resources folder that were viewable included some personnel data on a limited number of employees, including 401K information, termination benefits, and W-2 data. NRHN’s substitute notice does not mention that employee data may have been acquired.
Because Hunters International does not provide contact information for journalists, DataBreaches was unable to contact them to ask about other data. Of note, however, the listing on the leak site has a small section for “Requested Files,” which may mean that Northeast Rehabilitation Hospital Network attempted to negotiate or contact the threat actors and requested proof that files could be decrypted.
Hunters recently announced that they had updated their encryption/decryption software to v5.0.0.
What is NRHN Doing in Response to This Breach?
NRHN’s substitute notice states:
NRHN takes this incident and the security of information in their care very seriously. Upon becoming aware of this incident, NRHN promptly commenced an investigation to confirm the nature and scope of this incident. This investigation and response included confirming the security of our systems, reviewing the contents of relevant data for sensitive information, and investigating to determine the information that may be involved. NRHN also notified federal law enforcement. As part of NRHN’s ongoing commitment to the privacy of information in their care, NRHN is reviewing its policies, procedures and processes to reduce the likelihood of a similar future event. NRHN will also notify applicable regulatory authorities where necessary.
We have heard that before from them.
This is Not NRHN’s First Cyberattack
In November 2021, NRHN reported a “hacking/IT incident” to HHS that affected 500 patients (another marker). The unauthorized access occurred between September 30, 2021 and October 5, 2021. NHRN notified HHS in November 2021, published a substitute notice on its site, and notified major media in the area. In August 2022, they filed a report with the Maine Attorney General’s Office that indicated that a total of 190,220 people were affected by the incident. The types of information affected included name, address, date of birth, driver’s license, Social Security number, and financial account information. It wasn’t until August 2022 that they sent individual notification letters. In the letter, they informed recipients what they were doing in response to the breach:
We take this incident and the security of personal information in our care very seriously. Upon discovery, NRHN immediately took steps to ensure the security of our systems and investigate the event. Notice of the event was provided to local and national media outlets and posted on the Northeast Rehabilitation website. As part of our ongoing commitment to theprivacy of information in our care, we have implemented additional technical security measures to strengthen the security of our systems. We also have reviewed and enhanced existing data privacy policies and procedures. We immediately notified the FBI and other regulatory bodies of this incident and are updating additional agencies as required.
And yet here we are again?
A check of HHS’s public breach tool shows that there has been no update to their 2021 submission to HHS for the number affected. DataBreaches does not know whether NRHN submitted an updated figure to HHS but HHS just hasn’t entered it, or if none has been submitted. DataBreaches could determine, however, that HHS has not closed its investigation into the 2021 breach. There is no closing statement in the breach tool for that incident.
So now there have been two cyberattacks and we do not know how either one occurred or what security measures NRHN had in place before either of them.
DataBreaches does not know whether HHS will combine any investigation into this newest incident with any previous or ongoing investigation.
Putting the Question to NRHN
DataBreaches emailed NRHN to ask three questions:
- How did attackers gain access in 2021 and how did attackers gain access in 2024? Was this the same vulnerability or weakness in security?
- How many patients were affected in this latest incident?
- Why should patients have confidence in NRHN to protect their data after two breaches? What will NRHN do to really lock down data or protect it better?
No reply has been received by publication.