On February 4, DataBreaches.net reached out to Nocona General Hospital (NGH) in Texas about an attack claimed by Conti threat actors the previous day. The hospital did not respond. On February 7, this site emailed NGH, writing, in part, “I see that Conti threat actors have dumped files that they claimed they copied and stole from your system when they attacked you with ransomware. As proof of their claims, they dumped a number of files from 2018.” Nocona was again asked to confirm whether or not they had been attacked. Once again, they did not reply, but on February 9, Texas media reported that the hospital’s external counsel, Brian Jackson, stated that the hospital had found no evidence of a breach of the hospital’s main patient database.
Jackson said the files accessed by potential overseas hackers were apart of patient transfer files and the amount remains unclear at the time.
Jackson also reportedly told media that the hospital was not a victim of a ransomware attack. His statements were intended to be reassuring, and maybe they were to those who weren’t looking at the proof of claims, but it seemed clear that at least some patient files had been taken from NGH.
On February 10, DataBreaches.net tried again, via email, writing, in part:
Conti threat actors have now dumped more than 1,700 files that they claim they exfiltrate from your server(s). 1. Are you (still) claiming that there was no ransomware or that nothing was locked up? 2. Are you still claiming that there was no ransom demand? 3. Are you notifying HHS/OCR of this breach?
Jackson called DataBreaches.net in response, and as this site reported later that day:
He did not have a lot of information to share at this point, but stated that they believed that the threat actors had not been able to access the EMR system, and that what they had accessed appeared to be an older server that held files relating to the transfer of patients. He reiterated what he had told NBC News — that they had not seen any ransom demand — but acknowledged that there might have been one and they just didn’t read it. They received no phone call demands, he stated.
After looking through more of the data dump, they do not appear to me to be from a folder that would relate to the transfer of patients to other hospitals or facilities, and it’s not clear why there would be files from 2010 in with files from 2018 and even early 2020. At some point, forensics will probably be able to clarify exactly where these files came from on their system.
Was Nocona even actually attacked with ransomware? When Jackson was asked whether the files were locked, he responded that they had been, but then it turned out he meant that the files had been secured before the attack. When the question was clarified for him, he responded that he believes that they were attacked with ransomware, but it clearly was not an answer said with any confidence. He also stated, in answer to another question, that the hospital’s consultants believe that they have kicked the attackers out of their network.
There was nothing further after that date. Conti threat actors did not add any more files to the data dump of 1793 files that have been available online on both clear net sites and the dark web since February 10. Of note, Conti has not indicated that they have dumped 100% of all files they acquired, which they often do when they claim they have dumped everything. A counter on their site indicates that there have been more than 38,000 views of their entry on Nicona with the list of downloadable files.
It is not clear how many actual downloads of the data occurred, but the data are still available and will likely remain available until either the threat actors remove the listing or someone takes their whole server down.
On May 5, three months after data were first posted on Conti’s dedicated leak site, NGH notified HHS and issued a statement on its site.
The statement begins
Nocona General Hospital recently learned of a criminal cyber attack which enabled hackers to access certain file folders on its computer network. Upon learning of this incident, Nocona General Hospital immediately launched an investigation to more clearly understand its scope. Because the hackers gained access to Nocona General Hospital’s network, the hackers are believed to have accessed information in certain folders which may have included names, gender, ages, dates of birth, addresses, Social Security numbers, diagnosis information, procedure descriptions, or procedure codes.
No, it didn’t “recently” become aware. It became aware 3 months earlier.
You can read the full notification, embedded below, but DataBreaches.net would call attention to the fact that nowhere does Nocona reveal that patient-related files have been made freely and publicly available.
“The hackers are believed to have accessed information in certain folders,” they write, but Nocona knows that specific files were accessed and exfiltrated, even if it is not sure what folders were accessed. Why doesn’t it just bluntly tell its patients the unvarnished truth?
According to its notification to HHS 3,254 patients were impacted. Letters were reportedly sent to them on April 30. For many of them, their protected health information may still be freely available on the internet, but they will have no idea of that.
NGH-Data-Breach-Press-Release