DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: Gramercy Surgery Center attackers leaked patient data going back 20 years (1)

Posted on August 14, 2024August 23, 2024 by Dissent

On June 18, Gramercy Surgery Center in New York discovered it might have been the victim of a cyberattack attack. It had been, and DataBreaches recently reported that the threat actor(s) known as Everest Team leaked more than 460 GB of files they claimed to have exfiltrated. Neither Gramercy Surgery Center (GSM) nor Everest responded to email inquiries.

Since that report, DataBreaches has begun examining some of the leaked data from three parts of the multi-part leak. One part contained accounting files and data from 2020 and 2021. While they contain internal and financial documents that might be of interest or potential misuse, the other two parts confirmed this site’s impression that Everest acquired a lot of patient data.

With respect to patient data, almost all of the files with patient data that DataBreaches has found so far are individual .pdf files that are scans of other files, including scans of files that had handwritten notes. A few .csv files contain patient data going back to 2004 and 2005 dates of service for accounts that were sent to collection years ago.

Password protection, or lack thereof

DataBreaches was initially pleasantly surprised to find that many of the first folders that DataBreaches checked appeared to be password-protected.  Unfortunately, further inspection of more files and folders revealed that there was a folder named “Password – [****].” Yes, the password for all of those password-protected patient files was a simple four-letter common noun that was given in a folder name.

A listing of folders and files showed a folder called "Password_****" where the actual password was shown.
A folder called “Password_****” revealed the actual simple password in the folder name. Image: DataBreaches.net.

Of course, even if they had not conveniently listed the password in a folder name, a simple password recovery program or tester would have discovered it quickly.

So not all folders with patient files required a password, and the ones that did generally all used the same simple four-letter common noun word as their password. The IT department seemed to have a strong password for its files that contained password lists, but a file for credentialing passwords was unprotected in a folder on credentialing. That file contained a username, password, security questions and answers, as well as full credit card information with expiration date and cvv code.

What was in the patient files?

Everything:  patient demographic information such as name, address, phone number, email address, Social Security number, entire medical history, pre-surgical, surgical, and post-surgical notes and records, billing and health insurance information, and information on accounts from 2004 and 2005 appointments that were sent for collection.

Some patient files consisted of dozens of pages of records. Not everyone had the same types of information, but all of the patient-related files had protected health information.

Among the files that were not even password-protected, DataBreaches saw folders with pathology reports, operative reports, cancer reports, and responses to subpoenas and other records. There is also a folder called “HIPPA” (sic). All of the files in that folder have patient names as the filenames with “HIPPA” after the name.

What next?

DataBreaches has not yet downloaded all of the leaked data but it is clear that GSM faces a significant challenge in terms of data breach review to determine who they need to notify and exactly what types of information each person had in records. It is not surprising that GSM has yet to submit a report to HHS. When they do, we may see a “500” marker for a while.

Will employees and providers also need to be notified? DataBreaches does not yet know for sure, although some provider information has already been found in the leaked data.

Updated: The incident was reported to HHS on August 9 as affecting 50,554 patients.


Great thanks to Marco A. De Felice of SuspectFile.com for his help downloading the data. 

Related posts:

  • Gramercy Surgery Center hacked; data leaked on dark web (1)
Category: Commentaries and AnalysesHackHealth Data

Post navigation

← Kootenai Health sends notifications for 464,088 people after February attack
U.S. Army Intelligence Analyst Pleads Guilty to Charges of Conspiracy to Obtain and Disclose National Defense Information, Export Control Violations and Bribery →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.