On May 3, Methodist Family Health (MFH) in Arkansas notified HHS that 5,259 patients were affected by a breach.
On their website, MFH posted a notice on the same day. It begins:
Methodist Family Health (“MFH”) experienced a data breach on March 4, 2023, that was first detected on March 6, 2023. After a thorough investigation, we have determined that a variety of documents a business associate uses to provide pharmacy services containing protected health information (“PHI”) were accessed and copied without authorization. The types of information involved in the breach included, in some instances, full name, date of birth, date of admission or treatment, home address, account number, diagnosis, service charges, or medication information. Through our internal investigation and our consultations with and examinations by outside cybersecurity and privacy specialists, we have determined that soon after the breach was detected, unauthorized access was terminated, and additional measures were taken to strengthen privacy and data security. We continuously review and update our internal processes and procedures and will implement suggested guidance. Our additional cybersecurity measures are specifically designed to ensure the safety and security of patients’ PHI. We take safeguarding our patients’ PHI very seriously and will continue to strive to fully protect all privacy interests of our clientele.
Hopefully, their letter to those affected provides more detail about what happened and what patients, their families, or their guardians need to know.
On or about March 8, DataBreaches noted that MFH had been added to the leak site for Avos Locker ransomware. At the time, some people speculated that it was one particular Avos Locker affiliate who had been responsible for the attack — a person who was allegedly also responsible for a deplorable attack on SickKids, a children’s hospital in Canada. LockBit subsequently apologized for the SickKids breach, removed the listing for their leak site and offering them a free decryptor to try to help them.
Whether the same individual really was responsible for either attack or both attacks is unknown to DataBreaches. But at some point, the MFH listing was removed from Avos Locker’s site. Whether it was removed because MFH paid ransom or whether it was removed because Avos Locker regretted what the affiliate had done and removed it is unknown to DataBreaches.
Because there is a lot unknown about this incident, DataBreaches emailed MFH today to ask four questions:
- Why their notice made no mention that this had been a ransomware attack;
- Whether MFH had received any ransom demand;
- Whether MFH had paid, or authorized others to pay any ransom; and
- Whether patients or their families or guardians had been told that their data was in the hands of a Russian threat actor or group who might misuse the information.
No reply has been received as yet.
MFH deals with an extremely vulnerable population: children who are abandoned, abused, neglected and struggling with psychiatric, behavioral, emotional and spiritual issues.
That any ransomware group or individual affiliate would try to extort this organization or even think about leaking data from these children is… heartless. DataBreaches hopes that Avos Locker removed the listing because it was appalled at what someone had done in their name or by using their service.