DataBreaches.Net

Correction and Update: Mount Locker team denies responsibility for Sonoma Valley Hospital attack

Posted on by Dissent

On November 9, DataBreaches.net published “Without Undue Delay” which catalogued health sector ransomware attacks where attackers had dumped patient data as part of an attempt to pressure their victims into paying ransom.  That report was a companion to a post arguing that patients need to be notified sooner of ransomware dumps than HIPAA’s 60-day window might seem to allow.

In the report, DataBreaches.net wrote that the Mount Locker team was reportedly claiming responsibility for an October attack on
Sonoma Valley Hospital in California, and had reportedly dumped 75 GB of data. This site qualified its statements because

DataBreaches.net was unable to find any actual data dump, although the hospital’s name does appear on the threat actor’s leak site. The dump, reported by a well-known site, may have been removed as part of some renewed negotiations or something.

DataBreaches.net reached out to the threat actors to ask them about the reported dump, and today, received a response that denied they had attacked Sonoma Hospital. A spokesperson wrote:

Sadly to say our cartel partner did that. Mount team never attacks hospitals or direct infrastructure such as airports / water supply / etc.
When asked to comment on the incident, they added:
We believe the risk of human death is extremely far from our business. But some cartel members don’t care...
But why did HealthITSecurity report that Mount Locker had claimed responsibility for the Sonoma attack and had leaked data from it? According to their spokesperson, posting a link to the data was a mistake that they corrected:
We have removed a link. It was a repost from a partner that appeared on the news site due to a mistake by our staff. This should not happen anymore.
What partner? What cartel? Didn’t Maze claim that there was no Maze cartel other than in journalists’ minds? What cartel or partner is Mount Locker referring to? Rather than guess or speculate, DataBreaches.net put the question to them.  Let’s see if they provide additional information.
And while it may sound ridiculous to some to apologize to threat actors, DataBreaches.net does apologize for the error in the “Without Undue Delay” report that incorrectly attributed the Sonoma Valley Hospital attack to them. This site’s main thesis, however — that entities notify to patients quickly when threat actors dump data as part of a ransomware incident — is unaltered by that error.