DataBreaches has learned that Tift Regional Medical Center in Georgia was the victim of a ransomware attack in July. Although the hospital was negotiating with the Hive ransomware group, negotiations recently broke off.
According to communications shared exclusively with DataBreaches, the breach started on July 14 and ended on August 8. During that time, Hive claims they were able to download about 1 TB of data, allegedly consisting of:
-company private info (budgets, plans, taxes, contracts, NDA, other agreements, etc)
-medical records (patient name, address, gender, SSN, insurance, diagnosis included)
-employee private info (payrolls, contracts, NDA, SSN, salaries, addresses, passports, etc)
-emails between your companies and patients/partners
On August 25, Hive first emailed Tift to introduce themselves and tell them about the breach and how to reach them for negotiations. In that email, Hive provided the hospital with a link to where they could see 25% of the downloaded data and provided a timeline of what they did and how (some details below redacted by DataBreaches):
– 14 of July we gained access to your network through Citrix with following
credentials: https://citrix.tiftregional.com/vpn/index.html login:[redacted]
password:[redacted]
– soon your network administrators detected this breach and changed admin passwords, but we have had already gained access to your network and it critical structures
– since we already had all access to your network, we have continued to get familiar with your files
– when we have found sensitive data we started to download them using OneDrive cloud storage
– your admins detected suspicious activity and blocked citrix and vpn -ip access
– those actions didn’t help at all, because we already started to download files and unfortunately your administrators didn’t find these processes
– since 14 of July till 8 of August we have downloaded about 1tb of data
– after this we have left your network peacefully
On August 26, someone from Tift contacted Hive and asked what they wanted. To cut to the chase, the amount was $1,150,000.00. “We know that you have cyber insurance policy with a limit of $6M. Our financial experts have estimated what losses you will incur in the event of a leak of your personal data.,” Hive wrote.
In response to the negotiator’s request, Hive provided them with a list of all the files they had exfiltrated. Tift then asked for more time for the board to meet to consider everything and what they could offer.
On September 2, Tift’s negotiator wrote:
Hello. Our board has made the approval to offer $100,000 to you. Because of the time left today and banking holiday on Monday, this payment can likely be made on Tuesday if you agree.
Hive responded:
Thank you for your offer. Tell the board that they can keep 100k for lawyers. We will publish the data.
On September 8, Tift’s negotiator wrote, in part:
Our board is asking if you can please accept $225k. We are a small network without much funding.
Hive promptly responded:
Rejected. You have cyber insurance that will cover all your expenses. If you can pay in 48 hours than we can give you 20% discount. It’s final. Accept it or tell me that you reject it.
Tift responded that they would pass that along, but the board would have to meet again on Monday (September 12).
That was the last communication Hive received from them.
DataBreaches was given access to the 25% of the files Hive shared with Tift. It contained employee and patient information, audits, accounting, and internal files. Whether Hive will leak the data remains to be seen. Tift’s negotiator seems to have used the same unsuccessful strategy that others have used: claiming that an entity is not-for-profit and doesn’t have the means to pay even though the threat actors have done their homework and know how much cyberinsurance the victim has and how much the executives of the hospital earn each year.
Tift did not reply to an inquiry about what Tift is doing in response to this incident. This post will be updated if a reply is received.
Update: Southwell did not reply to DataBreaches’ inquiries, but gave a statement to Becker’s Health IT that said, in part:
There are inaccuracies about the incident in what has been reported, and the investigation into the incident and claims is ongoing. We will be providing notice to individuals whose personal information is determined to be impacted.
DataBreaches sent a second inquiry to Tift asking exactly what they thought was inaccurate in the reporting. DataBreaches hopes that Southwell will respond this time.