Cardiovascular Consultants LTD (CVC Heart) in Arizona may or may not have been the victim of a ransomware attack, but they have not responded to inquiries about that. So far, all we have are unsubstantiated claims by a ransomware group and an alleged data archive download that doesn’t download.
On October 25, Cardiovascular Consultants LTD (CVC Heart) was added to Qilin’s dark web leak site. The listing does not provide much information but claims, “You can download all personal data of clients and employees of this company below.” The link to what purports to be a compressed file 205.93 GB in size does not work, however. Perhaps it is there simply as a warning to pressure CVC Heart to pay them. Qilin did not respond to a site visitor who asked them about the non-working download and were not logged in to their Jabber account when DataBreaches attempted to find them there on a few occasions.
On November 3, DataBreaches sent Cardiovascular Consultants an inquiry via their website. No reply was received. On November 4, DataBreaches reached out to the Privacy Officer contact information linked from their site. No reply has been received from them, either.
At this point, then, Qilin’s claims are unconfirmed.
In May 2023, Group IB wrote a report on Qilin’s Ransomware-as-a-Service (Raas) program. According to their report, Qilin uses Rust-based ransomware in a double-extortion model, i.e., encrypting files and exfiltrating data. Sectrio also provides details on Qilin in their July 2023 report.
DataBreaches will update this post if more information becomes available.
Update: On December 1, Cardiovascular Consultants reported the incident to HHS as affecting 484,000. On December 4, they added a notice to their homepage, saying, “Cardiovascular Consultants Ltd. (CVC) experienced a cybersecurity incident on September 29, 2023. Regrettably, that incident affected information in our computer systems related to current and former patients and other persons involved in their care, such as account guarantors and insurance subscribers. Click here for additional information and steps you should take if you believe your information may have been involved.”
That notice indicates that the attack occurred on or before September 27 and that the attacker(s) accessed certain systems, encrypted information, and stole some CVC information:
The personal information on our computer systems may have included information that we maintain about our patients, such as name, mailing address, date of birth, and other demographic and contact information, including emergency contact information, Social Security number, driver’s license and state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records. Our systems also contained information regarding account guarantors including name, mailing address, telephone number, date of birth, and email address. Our systems further contained information regarding insurance policy holder/subscribers including name, mailing address, telephone number, date of birth, insurance policy information, such as group or policy number, and, in some cases, Social Security number.
CVC’s notice makes no mention of any ransom demand or their response to any such demand. Nor do they mention any leak site or threat of leaking the data.
As of December 14, 2023, Qlin threat actors have still not provided a working data download that they claim to provide on their leak site.