Today’s post is a reminder why maybe we should all wait a bit before just repeating criminals’ claims about an attack.
The group known as World Leaks recently added Freedman Healthcare to their leak site, claiming to have acquired 52.4 GB of data comprising more than 42,000 files. Some news sites reporting on the listing used words like “ransomware” and “patient data” or “e-health data.”
None of those descriptions was really accurate and World Leaks never claimed to have acquired patient data or “e-health” data.
When World Leaks first added Freedman to its site, DataBreaches sent a contact form inquiry to Freedman asking if they had confirmed that there had been any breach, and if so, whether protected health information (PHI) of patients was involved. No reply was immediately received.
When World Leaks subsequently added the ability to see directories and filenames, DataBreaches sent a second contact form inquiry to Freedman.
And then we waited. Others published, but based on what we saw when we scrolled filenames and folder names, we waited because we had seen no clear indication that patient data was leaked.
Freedman responded to our inquiries by email the following day. John Freedman, CEO of Freedman Healthcare wrote, “Who are you?” And that was all he wrote.
Fighting the impulse to get distracted by the existential question, DataBreaches answered his question, observed that there was a lot of sensitive personnel information such as W-2’s in the data tranche, and then added another question to the inquiries we had sent:
I also saw a purchase order for $100k in BTC from May of 2022, reportedly for a ransomware payment. Were you the victim of a ransomware attack in 2022?
He did not reply to that, either. But he did send Cybernews a statement in response to their earlier reporting. His statement included, in bold face, a statement that “no health data was compromised in this incident.”
Rather than just updating or apologizing for any possible errors in previous coverage, Cybernews decided to try to salvage some story by writing, “The problem here is that Freedman’s declaration, while possibly true, does not account for the other 52.4 GB of sensitive data claimed by the cybercriminals – and published on the gang’s dark leak site as promised, also on Tuesday.”
Cybernews’ second report on the incident contains what appears to be some accurate descriptions of data in the leak. DataBreaches had also found years’ worth of employee salary and tax information as well as other internal documents. But as Freedman told Cybernews, the incident did not appear to involve any protected health information of patients, even though Cybernews tries to raise the possibility of misuse of what was leaked to enable access to patient data.
Addressing other inaccuracies in reports circulating about the attack on Freedman Healthcare, DataBreaches would note:
- This was not a ransomware attack and World Leaks does not describe themselves as a “ransomware” gang or group.” World Leaks reportedly broke away from Hunters International because World Leaks did not want to use ransomware, as a spokesperson told DataBreaches in a recent chat. Whether the individuals involved in World Leaks had previously been involved in Hunters’ devastating ransomware attacks on medical entities is unknown to DataBreaches.
- Freedman’s statement does not indicate there was any encryption or ransomware involved. But since Freedman’s statement to Cybernews mentioned “malicious files,” DataBreaches has reached out to World Leaks to confirm the nature of the “malicious” files and will update this post if a reply is received.
- Hunters International had reportedly planned to stop using ransomware and to go to an exfiltration-extortion model only, re-branding as World Leaks. Some sites report that they did abandon using ransomware, but if one simply looks at their leak site, it is clear that Hunters International is still encrypting some of their victims.
But the bottom line is that this appears to be an attack that resulted in the leak of employees’ financial and other information (PII), as well as internal and business files of Freedman, but not patient data or PHI.
If Freedman answers this site’s question about the purchase of BTC in 2022 presumably to pay for a ransomware attack, this post will be updated.