Six months after DataBreaches reported that Fitzgibbon Hospital in Missouri had been the victim of a ransomware attack by Daixin Team, the hospital has finally disclosed the incident.
In a notification, the hospital claims that they detected the unauthorized access on June 6. But then they immediately make a demonstrably false statement. They state, “Though the investigation is ongoing, Fitzgibbon Hospital discovered on December 1, 2022 that some patients’ identifiable and/or protected health information may have been accessed and acquired in connection with this incident, including impacted individuals’ full names, Social Security numbers, driver’s license numbers, financial
account numbers, health insurance information, and/or medical information.”
The problem with that statement is that DataBreaches reported the attack on June 27 and reported some of the data the attackers had acquired. Not only would they have known by June 27 at the latest — and DataBreaches had emailed them several times by then — the bad actors had also informed DataBreaches that on June 9, someone representing the hospital had entered the support chat. They were given a test decryption and shown proof of data exfiltration.
Indeed, at any time in June, Fitzgibbon had plenty of reason to already know that protected health information had been exfiltrated — including data posted to Daixin Team’s leak site. And to make it worse, the data were then also leaked in August on Breached.co. Is Fitzgibbon trying to claim that the cybersecurity professionals it immediately hired in June never saw the data on the dark web, read the chat transcripts, or saw the leak on Breached.co in August? Seriously?
The hospital’s claims to have discovered on December 1 that PHI may have been accessed or acquired is the kind of misrepresentation that class action lawyers may love.
Fitzgibbon’s full notice of December 30 can be found linked on their website. Nowhere does it inform anyone that patient data was leaked on the dark web and made freely available.
Compare Fitzgibbon’s notice to the details provided in DataBreaches’ reporting on June 27. Is it really credible that they didn’t know PHI was involved until December 1? Once they knew in June that PHI had been accessed, the 60 day clock started running for them. It didn’t start at the conclusion of any investigation, and it’s about time HHS started taking the 60 day deadline seriously.
Fitzgibbon patient data has been publicly available since mid-June of 2022. Patients shouldn’t first be finding out now that their data were exfiltrated, and even now, they are still not being told that their data are on the internet — unless they happen to read DataBreaches.