On October 25, Lake Charles Memorial Health System (LCMH) in Louisiana received an email that began, “Ladies and gentlemen! Attention, please! This is Hive Ransomware Team.” The remainder of the email stated that Hive had been in LCMH’s network for 12 days and had exfiltrated 270 GB of files including patient and employee data. A sample of files was attached to the email as proof of claims, and Hive also commented on what they had found (typos as in the original):
We know about your planned Splunk SIEM Product Justification Meeting. This system will not help to protect your network. It will only make a slightly delay in next data breach your network will face. Our organisation is also offers you full information about weak spots in your networks and best ways to protect your business to prevent further hack attacks, information we can share will help you to make such breaches economically disadvantageous for big hacking organisations and “very hard to do” for small ones.
Copies of the correspondence between Hive and LCMH and files were shared exclusively* with DataBreaches.net. On inquiry, Hive’s spokesperson stated that they had not encrypted any of LCMH’s files, but had just exfiltrated them. They also informed DataBreaches that in addition to emailing LCMH, they had called them on the phone. Multiple inquiries sent to LCMH executives during the last week of October by DataBreaches received no reply.
On November 15, Hive provided DataBreaches with an email chain between Hive and LCMH and added LCMH to their dedicated leak site. Hive’s leak site notice did not provide any proof pack yesterday, but did start leaking data publicly today.
The email chain indicates that on October 27, someone using a protonmail account had responded to Hive’s email of October 25 and claimed to be a managing director with LCMH. A search of their name by DataBreaches finds no such employee by that name. A person by the same name is a system administrator in Texas, however.
Over the next days, Hive sent LCMH’s negotiator a file list as LCMH requested and more information. According to the correspondence provided to DataBreaches, Hive demanded $900,000 to delete all files and provide them with information on their vulnerabilities. DataBreaches did not see any email from LCMH indicating that LCMH ever tried to make a counteroffer at all.
On November 3, LCMH’s negotiator confirmed they had received some files they had requested as proof, adding, “We are discussing everything with our mid to upper management. We will have to get our board to convene a meeting to brief them on everything in the next few days so they can make a decision on how we should proceed.” When pushed by Hive as to when this would all happen, they replied on November 4 (typos as in the original):
The board will be convening next Friday. One week from today. We been instructed to review the data loss impact and the budget until them so we can present them with our findings and recommendation. With payment you will disclose the vulnerabilities to us that you used to access our network?
By then, Hive appeared to have come to the conclusion that LCMH was just stalling. There were a few more back-and-forth emails on November 7, and then nothing more from LCMH. LCMH did not contact Hive after November 7 and did not respond to any subsequent emails from Hive.
As of the time of publication, DataBreaches has not seen all the data Hive claims to have acquired and that they threaten to leak, and has not yet reviewed all of the data that they have already leaked, but it is clear that the leak does include protected health information on patients, such as a folder with 5,834 files for patients using the mammography service in 2022. Other folders contain internal documents, such as files relating to a previous HIPAA breach inquiry, and yet other folders and files contain personnel information on employees. Among the files in the leak, DataBreaches noted files containing personnel information that could be useful for phishing or socially engineering LCMH’s security personnel, and a folder with 664 files on individual employees with their personal and personnel information.
DataBreaches did not spot any patient databases or human resources databases at this time and it is not clear that Hive was able to access or exfiltrate those databases. This post will be updated as DataBreaches is able to review other folders in the leak that are not currently accessible.
For its part, LCMH, who discovered the breach on October 25, has yet to respond to inquiries or to post any notice or alert to patients on its website.
*Update: It appears that Hive has now reached out to all local media in Louisiana with details and the chat negotiations.