It looks like we may need to add Spine Diagnostic & Pain Treatment to our list of medical entities hit by ransomware groups. Conti Team added the Louisiana provider to their leak site earlier today, dumping 3,351 files that they claim represent 30% of all the files they exfiltrated.
Inspection of the files, which compromised almost 4 GB of data, revealed various types of files. A large portion of the files were driver’s license images, some of which were five or more years old. There were also patient records that included pain diagrams and insurance billing information and other records with patients’ personally identifiable and protected health information.
So what is the practice doing about the breach? Finding no notice on their website, DataBreaches.net sent them a contact form inquiry to ask for information on the breach and their incident response. No reply was immediately provided.
At the present time, then, we do not have any confirmation from Spine Diagnostic that they experienced a breach. But if these are indeed their data (and the letterhead on the forms leaves little doubt that the forms are connected to this practice either directly or via a vendor), then did Conti encrypt their server(s) or otherwise interfere with patient care? Has the practice received any extortion/ransom demand, and if so, did it negotiate at all? When did this breach occur? Has it been reported to HHS? Has it been disclosed to patients? How many patients and/or employees had their personal information or protected health information stolen?
This post will be updated when more details become available.