I hate to see medical entities become victims of ransomware attacks, but if they do, then I’m glad to see them promptly alert patients to any problems.
Central Indiana Orthopedics is a positive example of prompt alerting. The following notice appears on their web site:
IMPORTANT ANNOUNCEMENT: We regret to inform you that Central Indiana Orthopedics experienced an organization-wide network interruption on October 16, 2021. Out of an abundance of caution, we have taken all of our systems offline to ensure they are clean prior to restoring our network from backups. We have also engaged a third party specialized cybersecurity team of experts to assist with restoration in addition to conducting an investigation to determine how this incident occurred and the overall impact on our information systems. We are working diligently to continue treating scheduled and walk-in patients and we apologize for any inconvenience this may cause. We will provide you with more information as it becomes available.
Yesterday, threat actors known as “Grief” added Central Indiana Orthopedics to their dark web leak site. As is their practice, the threat actors also provided proof of claims — some files allegedly exfiltrated from CIO’s system.
Inspection of the proof of claim files does support the claim that they successfully attacked CIO and exfiltrated at least some patient data. DataBreaches.net observed laboratory reports from ARIA with drug screen panels on named patients as well as various spread sheets on patient encounters.
Grief does not indicate how much data they claim to have exfiltrated. Nor do they indicate how much of a monetary ransom they have demanded to destroy any data. The fact that Grief has dumped some data generally means that their victim (in this case, CIO) has not agreed to pay their demands. Grief tends to dump more data in installments over time.
This post will be updated as more information becomes available. CIO is probably being advised NOT to pay any extortion demands because, to put it simply, criminals cannot be trusted to keep their word and even if they pinky swear that they will destroy data and never ever misuse it, they may not keep their word. If CIO has usable backups that they can use to recover important files, that may be their focus.