On June 10, the Everest Group added a listing for Avantic Medical Lab to its leak site, accompanied by a one-week countdown clock and four screenshots containing patient information as proof of the claims. When the attack first occurred, and whether Everest had contacted Avantic before June 10, is unknown to DataBreaches, but on June 10, Everest gave Avantic one week to get in touch with them.
Whether Avantic did or not is also unknown to DataBreaches, but what we do know is that on July 3, Everest leaked 31 GB of patient files.
Avantic Medical is a full-service Clinical Laboratory in Edison, NJ. They advertise that they service hospitals, hospital staff physicians, and the entire New Jersey, New York, and Pennsylvania Metro Area.
Hundreds of “Patient Files” that Everest leaked appear to relate to blood draws (testing) done in 2018. Testing on later dates for other patients was referenced in the Explanation of Benefits files, located in a folder from May 2023 under “Payments.” A third folder, “Accu Reference Send Out,” also contained patient information.
There were no databases in the data tranche, but some files were batched reports of insurance responses or other correspondence.
The types of information acquired and leaked for any individual patient varied by individual and type of file, but may have included:
- Patient’s Full Name
- Patient’s Address
- Patient’s Telephone number
- Patient’s Date of birth
- Patient’s Social Security number
- Medical Record Number
- Referring Doctor
- Referring Doctor’s Information
- Health Insurance Provider
- Employer or Group Name
- Policy Number
- Member ID
- Claim ID
- Covered Member’s Name
- Date of Blood Draw
- Type of Test(s)
- Results of Blood Tests
- Explanation of Benefits
- Diagnosis(es)
- Correspondence from Insurer
- Check information if Patient Paid by Check
- Credit Card Number with Expiration Date and CVV
There is no substitute notice on Avantic Medical Lab’s site as of this morning, and no report has been posted on HHS’s public breach tool yet.
DataBreaches emailed the lab this morning to inquire whether Everest’s attack had encrypted any files or had impaired functioning in any way. The email also asked whether Avantic has notifed HHS, the (New Jersey) the Division of State Police in the Department of Law and Public Safety, or patients.
No reply was immediately received, but DataBreaches will update this post when we receive a reply or more information becomes available.