Eric Anderson reports:
A number of Community Care Physicians patients may have had their protected health information, date of birth, and insurance coverage exposed during a hack of computers at Albany-based accounting firm BST & Co. CPAs.
Those affected were first notified by letter from BST on Tuesday. BST said the computer virus was active between Dec. 4 and Dec. 7, 2019, and that BST first learned of the infection on Dec. 7.
Read more on Albany Times Union.
UPDATE: This breach appears to be the work of MAZE TEAM, threat actors that I have reported on several times in recent months. Additionally, the Daily Gazette reports that Community Care stated that patient data was exposed but there is no evidence it was accessed or misused. On Maze Team’s site, however, BST is listed as a full data dump victim, and the attackers have listed a directory of files that they have dumped and made freely available. If patient data was on BST’s server or any of the servers the attackers list on their site, then it is likely that the attackers did get and exfiltrate patient data, but we will have to wait for more analyses of the data dump.