DataBreaches.net recently reported that Apex Laboratory Inc. had apparently been attacked by DoppelPaymer ransomware threat actors. Apex was added to their leak site on December 15.
As proof of claims, the threat actors uploaded approximately 10,000 files containing protected health information of patients (PHI) and personally identifiable information of employees (PII). The 10,000 estimate is not an estimate of unique patients, as many patients had more than one report on them in the files. But some files also contained PHI on hundreds of unique patients, as some of the files were from nursing home or rehabilitation facilities on Long Island in 2018. It appears that Apex stored census and rosters from these facilities. Whether the attackers also obtained any current rosters is unknown, but the data dump contained older data that included name, date of birth, Social Security number, Medicare, Medicaid, or insurance information, date of admission, date of discharge, and other details. Yet other patient-related files were test results/lab results for named patients from early 2020. Those files included patient name, date of birth, phone number, physician’s name, and laboratory findings/results. Employee data in other files included some payroll information as well as other types of employee information, such as a rental application with an employee’s full SSN and a photocopy of a driver’s license belonging to an Apex administrator.
DataBreaches.net reached out to Apex on December 15 when the dump was first spotted, but Apex did not reply then, nor to subsequent attempts to get any response from them. Their network administrator, contacted via LinkedIn, did not reply either.
This was not the first experience DataBreaches.net has had with Apex Laboratory ignoring inquiries from this site. Apex had a significant insider-wrongdoing breach back in 2012 that they only learned about when law enforcement contacted them. They ignored all of this site’s inquiries about that incident, too.
Of note, although Apex did not respond to this site’s inquiries, their listing was removed from the leak site shortly after I contacted them to ask about it. The removal of a listing can mean that a victim suddenly decided to pay the ransom demand, or it could mean that the threat actors were just busy updating the data dump. In this case, the listing didn’t reappear, suggesting that ransom had been paid or was being negotiated.
Because Apex did not respond to inquiries and there was no notice on their site, on December 29, DataBreaches.net contacted two of Apex’s clients whose patient rosters from 2018 had appeared on the leak site. Neither one had been contacted by Apex by that point, and both were concerned to learn of the breach.
Two days later, on December 31, Apex posted a notice on their web site. Was the timing coincidental or had upset clients called them on the 29th? DataBreaches.net wouldn’t be surprised if they had. Nor would this site be surprised to learn that Apex had no knowledge of any data exfiltration or dump until they received this site’s inquiry on December 15.
Apex Knew, But Didn’t Know
According to the notice on their web site, Apex first discovered the ransomware attack on July 25, 2020. Then why did it take five months from that discovery until they posted a notice on their site? The reason for the delay appears to be that their first forensic evaluation did not find any evidence of unauthorized access or exfiltration of patient information. Apex claims they first learned on December 15 that the attack had been worse than they knew:
However, on December 15, 2020, Apex learned that the hackers posted information on their blog about the attack and listed data taken that contained personal and health information for some patients.
Apex’s notice also provides some support for this site’s hypothesis that they paid ransom (emphasis added below):
Upon learning of the data that was taken, Apex, along with the assistance of forensic specialists, conducted a review of the files to determine what information was impacted and ensured that the data was removed from the hacker’s blog.
Of course, removing a sample of data from a blog is no assurance that all of the data is no longer in threat actors’ hands or hasn’t already been shared with others.
Apex’s notice also states that they are currently preparing letters to send out to those for whom they have addresses. At some point, I expect we will see this incident on HHS’s public breach tool and then we will find out how many patients Apex calculates were impacted.