In August 2020, DataBreaches reported that the Maze ransomware gang had added Ventura Orthopedics to their name-and-shame leak site. At the time, Ventura did not respond to inquiries about whether they would confirm or deny the claims. And they did not respond to other inquiries from DataBreaches when the Conti ransomware gang subsequently listed 1,850 Ventura Orthopedics on its leak site.
On August 28, 2020, DataBreaches updated its post to report that this site was contacted by Chris Roberts, who was with HillBilly Hit Squad at the time. Roberts said he was contacting DataBreaches on behalf of Ventura Orthopedics who had asked him to help explain the incident and their then-current status. Roberts stated that he was still conducting forensics and asked if he could get back to DataBreaches shortly. DataBreaches agreed.
Roberts never followed through with DataBreaches and after a few polite attempts on this site’s part, he did not respond at all.
In January 2021, DataBreaches wrote a report to follow up on some breaches that had not been publicly disclosed. It included Ventura Orthopedics. DataBreaches also filed a watchdog complaint with HHS OCR about Ventura.
Over the next few years, there was no real progress or resolution that DataBreaches could detect. DataBreaches would occasionally get an inquiry from HHS asking if there were any updates and if we still had all the data we had offered to HHS when we filed the complaint. Things started to move, however slowly, in an April 2023 conference call with HHS, during which their investigator asked DataBreaches if we would be willing to reach out to Ventura to offer them a copy of the data. DataBreaches firmly (and somewhat impolitely) declined, stating that DataBreaches had reached out multiple times to Ventura to no avail and their consultant had ghosted DataBreaches. If Ventura wanted help from DataBreaches, they would have to pick up the phone and ask for it.
Several months later, they did. In September 2023, DataBreaches met with their CFO and IT Director in a video conference call. Neither of the employees had been employed by Ventura at the time of the breach and were first trying to understand exactly what had happened and what Ventura had done in response. DataBreaches gave them a recap of the incident and its chronology, and arranged to securely transmit all the data from the leaks.
Today, Ventura contacted DataBreaches with a copy of the notification letter they are now mailing out to those affected. The letter explains, in relevant part:
We are sending you this letter as part of our continuing commitment to your privacy. Recently, we became aware that a health information security breach that occurred on July 28, 2020 was more extensive than we believed at the time. The breach involved a ransomware attack on our server resulting in the exposure of a number of documents. Our initial investigation indicated that the health information of only one patient had been compromised. However, on September 13, 2023, we learned that breach involved information about a larger group of patients. The information came from the server files of a single physician and his physician assistant and was limited to the patient’s name, date of birth, and drug and laboratory testing results from 2016, 2017, and 2018. We have reason to believe that your information was among those files.
In August 2020, we took steps to investigate the incident, to notify the patient of the breach, and to prevent any such breach from recurring. This included a full internal lockdown as well as an outside security audit to ensure our electronic medical record system had not been infiltrated. We recently conducted a formal security risk assessment across all our data center facilities. We have received no evidence to suggest that any further patient information has been disclosed or breached since that time.
No social security numbers, financial account or payment card inf01mation was exposed as a result of the July 28, 2020 breach.
Ventura has also posted a notice on its website.
What a shame that HHS didn’t handle this faster, although the pandemic may have slowed things down somewhat. For three years, patients may have had no idea their protected health information was stolen and leaked.
DataBreaches does not yet know how many patients Ventura has now notified. Nor does DataBreaches yet know what, if anything, HHS OCR will do at this point. Will it just close the investigation and send DataBreaches a closing letter? Will it impose conditions on Ventura? Will there be any monetary penalty? DataBreaches hopes it won’t take another three years to find out, but is pleased that now patients are being informed of what they should have been told three years ago.