On November 21, the Cactus ransomware gang added Petersen Health Care to its leak site. The listing has been updated since then. As proof of claims, Cactus leaked several screenshots of identity documents like passports. They did not indicate whether these were employee documents or patient-related documents, although it would be more likely if they were employee-related. There were no files that were marked as patient or medical records, and Cactus did not state whether they encrypted files or systems.
Petersen Health Care provides a variety of settings and types of services, including independent living, memory care, rehabilitation services, skilled nursing, supportive living facilities, and assisted living facilities. They have locations in Illinois, Missouri, and Iowa.
DataBreaches reached out to Petersen Health Care via their website contact form on December 10. They did not reply. DataBreaches sent a second inquiry on December 12 asking if they would confirm the claimed attack, whether files were locked, whether patient data was exfiltrated, and whether patient care was affected at all. Once again, there was no reply.
DataBreaches also reached out to Cactus on December 10 to ask how much data they exfiltrated and whether it included patient data. They read the inquiry but did not reply.
Given their lack of clear proof of claims concerning protected health information, it’s not yet clear whether they got any patient data at all. If they decide to respond to the inquiry or update their leak site, this post may be updated.
There is no notice of any kind on Petersen’s website at publication, and because Cactus did not indicate a date of attack nor whether they got any patient data, Petersen may still be within a 60-day window for reporting to HHS and patients.
DataBreaches will continue to monitor this incident and will post updates if more information becomes available.