On August 5, Atlantic Dialysis Management Services (ADMS) in New York issued a press release that no longer appears to be available on any of the sites that published it — with one exception. ADMS also posted a security incident notice on its website.
Their website notice reads, in part:
On June 9, 2022, Atlantic Dialysis Management Services, LLC (“ADMS”) discovered certain unauthorized activity within its computer systems. Upon discovery, ADMS immediately secured its network, reset passwords, and engaged a third-party forensic firm to investigate the incident. Following a thorough investigation, ADMS confirmed that a limited amount of patient information may have been accessed in connection with this incident. However, at this time, there is no indication whatsoever that any information has been misused or will be in the future.
And:
At this time, ADMS is not aware of any evidence to suggest that any information has been misused. However, ADMS was unable to rule out the possibility that the information could have been accessed. Therefore, in an abundance of caution, ADMS has partnered with third-party computer forensic company to perform a thorough review of the affected information to identify, and subsequently notify all potentially affected individuals.
On June 30, after seeing a listing on a leak site with some proof, DataBreaches had reached out to ADMS via the contact form on their website. They did not reply at all.
On July 20, the threat actors updated the leak site and leaked 812 mb of files from ADMS. On July 22, DataBreaches reached out to ADMS again. Again, they did not reply.
Yet on August 5, they issued a statement that did not mention that any patient data had been acquired at all – or leaked? On August 5, they only stated that some limited patient information may have been accessed?
How can ADMS say that they could not rule out that some patient data had been accessed when they already had proof that not only had it been accessed, but it had been acquired and leaked?
How can they claim that their actions were in “an abundance of caution” when data was not only accessed but acquired and leaked?
The following is a screencap of a file that was leaked well before the date of ADMS’s breach notification. It has been redacted by DataBreaches, even though it appeared unredacted and freely available on a leak site.
ADMS’s press release of August 5 stated, in part:
The type of information contained within the affected data included patient names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information. Importantly, the information potentially impacted may vary for each individual, and may include all, or just one, of the above-listed types of information
Nowhere does ADMS’s statement of August 5 indicate that there was an extortion attempt in connection with this incident, that some data had already been leaked on the internet, and that more might be leaked.
On August 14, DataBreaches contacted the group who had leaked the data to ask about ADMS’s claim that a “limited amount” of patient data may have been impacted. Snatch Team responded that they did have patient data, and then followed up by sending DataBreaches a sample with more than 400 files that have not yet been shared on the leak site. They inform DataBreaches that they still have more data from ADMS to leak on their site, although DataBreaches does not know the total amount of data they acquired or might leak.
Many of the files Snatch Team provided are scans of .pdf files. Many of the scanned .pdf files include research protocols with forms reporting “Serious Adverse Events” (SAE) experienced by research participants. Those files did not have patient’s names but from the description of the research protocol on the form, it was clear that the study participants were hemodialysis patients who had chronic kidney disease-associated pruritus. On each SAE report, one can also see the investigator’s name, the date of the report of the adverse event, the age of the participant experiencing the SAE, their date of birth, their gender, height, weight, and race, and what type of medical adverse event(s) they experienced and how they were treated for it.
Other scanned files in the sample included clinical procedure reports where the patients’ name, date of birth, and patient ID had been blacked out. Some files appeared to be batched medication summary reports where each page included a different patient by name, chart number, date, and prescribed medications. And yet other files contained more complete records with a patient’s name and details, such as an unredacted 6-page discharge summary for a named patient from a named medical center.
DataBreaches also noted Excel files with patient names, medication name and dosage from what appear to be studies as well .doc files with the names of patients participating in particular studies. Other ,doc files were blank forms used as part of the studies.
The ADMS incident does not appear on HHS’s public breach tool at the time of this publication, so we do not know how many patients, total, ADMS has calculated were affected by the incident and require notification under HIPAA and HITECH.
DataBreaches does not know when Snatch Team will leak more data from ADMS, if they do, but as always, DataBreaches continues to urge entities to be more transparent in notifications and to alert people when data has already been leaked or is reasonably likely to be leaked. Saying only that protected health information “may have been accessed” seems deceptive when there is already proof some data has been acquired and leaked.