In January, the BianLian ransomware group added an unnamed medical group to their leak site. In February, they also posted a teaser on their BreachForums account. Although neither listing named the victim, DataBreaches was able to figure out that it was the Northeast Surgical Group (“NESG”) in Michigan. DataBreaches reached out to them multiple times, but Northeast Surgical Group did not reply to an inquiry sent via their website contact form on January 28. They did not reply to a contact inquiry sent via Linked on January 29, and they did not reply to another contact form inquiry on February 17.
Data from NESG was leaked on BreachForums in early February and eventually on BianLian’s dark web leak site, but silence from NESG until they notified 15,298 patients and HHS on or about March 6.
Despite the presence of data on clearnet and dark web sites, NESG begins its notification letter by writing:
Northeast Surgical Group (“NESG”) is notifying individuals whose information may have been involved in a data incident. At this time, NESG does not have any evidence to indicate that any personal information has been or will be misused as a result of this incident.
The boldface in the preceding sentence was their doing. What kind of evidence would show NESG that personal information WILL BE misused in the future? How about if it’s dumped and made freely available to criminals?
“We take the security of personal information seriously and want to provide information and resources that can be used to protect personal information,” their letter continues, having ignored three requests from this site for information that could have alerted patients early to take steps to protect themselves.
According to NESG’s description of the incident:
On January 8, 2023, NESG detected suspicious activity within its network environment. Upon discovery, NESG immediately engaged a law firm specializing in cybersecurity and data privacy to investigate further. Additionally, NESG engaged third-party forensic specialists to assist NESG in its analysis of any unauthorized activity. The investigation concluded on February 13, 2023. While the potentially impacted information varies by individual, the investigation concluded that certain personal information – including name, address, Social Security number, and, in some cases, date of birth and medical and treatment information – were accessed by an unknown party that is not authorized to handle or view such information.
Notice what their statement did not disclose:
They did not disclose whether this was a ransomware incident and whether there was any ransom demand. Did BianLian deploy malware that encrypted files or did they access and exfiltrate data without locking anything? And was there a ransom demand? If so, did NESG respond to it at all?
And, significantly, NESG did not disclose that patients’ protected health information (PHI) was publicly dumped and is available to anyone and everyone for free.
You can read the Northeast Surgical Group’s full notification letter at their website.
DataBreaches has reached out to BianLian to ask them if they deployed any locker as part of the incident, whether or when they contacted NESG with any ransom demand, and if they did issue a ransom demand (which seems probable), whether NESG responded at all. No reply was immediately received.
This post will be updated if a reply is received.