On Thursday morning, ThreeAM added Carolina Arthritis to its leak site. Some ransomware groups add a listing, post some claims and a few screencaps, and then give the entity a deadline to pay up, or they leak a bit of data and then give the entity a final deadline. ThreeAM doesn’t seem to work that way. Within hours of posting the listing with a note that files would follow soon, they leaked all of the data they had exfiltrated from the medical practice.
ThreeAM provided DataBreaches with some additional details about the incident, including a file list showing what was exfiltrated. They also told DataBreaches that the attack was on September 27 and that they had encrypted the medical practice’s files.
In response to a query about how much data they acquired, their spokesperson responded that a lot of documents that should be protected under HIPAA were uploaded. The protected health information (PHI) included personal information (including that of one of the physicians), medical histories, medical records, test results, and more.
DataBreaches asked whether there had been any response from Carolina Arthritis to ThreeAM’s demands or any negotiations. ThreeAM replied that there had been some negotiation with Dr. Harris, but it turned out to be a waste of their time. They decrypted a few files as proof of their ability to decrypt files, and when Dr. Harris reportedly asked them to extend the timer to pay, ThreeAM claims they agreed to give them more time. But Dr. Harris reportedly never made any counteroff to their demand, only asking that they be “more reasonable,” because they didn’t have the money to meet the threat actors’ demands. That response did not sit well with ThreeAm, it seems, as they had found the doctor’s retirement account statement in the files and could see that the doctor had a very hefty retirement balance. (ThreeAM did not reveal the amount of their initial demand, and DataBreaches is not revealing the bank statement showing the doctor’s retirement account, a copy of which was provided to this site).
Inspection of the file list provided to DataBreaches revealed that there were many internal business records on Carolina Arthritis’s Z: drive, including some employee data such as payroll, tax information, 401k, and other benefits information. Much of it went back years, but since SSN and other identity information may not change, people will have to be notified. The internal documents also contained a number of files with computer usernames and passwords. DataBreaches hopes that none of it is current data and that the practice didn’t reuse passwords or they may have another big item on their incident response to-do list.
More than 20 years of files will have to be reviewed to figure out who needs to be notified and what types of information were involved for them.
Carolina Arthritis did not respond to inquiries submitted via its site yesterday morning. Nor did it respond to inquiries submitted yesterday afternoon asking whether the attack had impacted patient care at all and if they had a usable backup for any patient files that may have been encrypted. While it does not appear that ThreeAM accessed the EMR system, even old scanned files can be important in patient care to compare how a patient was doing years ago to how they are doing now.
This post will be updated if Carolina Associates replies or more information becomes available.