Earlier today, DataBreaches reported that MCNA Dental allegedly suffered a cyberattack involving patient data. According to the threat actor who claimed responsibility for the attack (Everest Ransom Team), this incident was totally unrelated to a February 2023 ransomware attack by LockBit that was supposedly leaked in April 2023. In May 2023, MCNA Dental reported that the February attack affected 8,923,662 people, of whom 8,861,076 were patients. In the newer incident, Everest Ransom Team claims that approximately 1 million patient records are involved.
MCNA has yet to respond to an email inquiry from DataBreaches about the newest incident. But MCNA isn’t the only entity that appears to have suffered a second attack recently. U.S. Dermatology Partners, who allegedly was breached by BianLian earlier this year and had 300 GB of their files leaked in August, now has allegedly had 1.8 TB of files leaked by Black Basta.
Although BianLian’s listing from June 2024 did not claim to include any patient data, the filelist for the data tranche did indicate that protected health information (PHI) was involved. DataBreaches did not download or inspect the entire data tranche.
Black Basta’s leak post also makes no mention of patient data, but inspection of its data tranche revealed that there is a lot of PHI in the newest leak.
But is the data in Black Basta’s leak the same as what BianLian leaked? Looking at some of the Black Basta leak, it appears the last date stamp for some files was June 18 or June 19, 2024. This would be consistent with BianLian’s incident and timeframe. But are they the same files? DataBreaches spot-checked some of the files date-stamped June 18, but didn’t find them in the BianLian data leak.
Did Black Basta just access more data than BianLian had accessed? Did both groups purchase the same access from a third party? One of the things DataBreaches noticed was that files in the Black Basta leak with logins and passwords were date-stamped June 18. If U.S. Dermatology Partners had changed their logins, those credentials should not have been in the Black Basta tranche. Did they fail to change credentials by the time Black Basta accessed them, or is there some other reason?
DataBreaches submitted inquiries to both Black Basta and U.S. Dermatology Partners but has received no replies by publication. DataBreaches had previously sent inquiries to U.S. Dermatology Partners on August 27 about the BianLian attack. They had not replied at all to that one and no report appears on HHS’s public breach tool for that incident. This post may be updated if more information becomes available.
The post was updated at 7:12 pm to note that U.S. Dermatology Partners never replied to an earlier inquiry from DataBreaches about the BianLian incident, and that incident does not appear to have been reported to HHS yet.