In August, threat actors calling themselves AvosLocker announced that they had attacked Moorfields NHS UK & Dubai. DataBreaches.net’s investigation at that point indicated that the data they provided as proof came from the Dubai hospital and did not involve any UK personnel or patients. In a statement to this site, Moorfields confirmed that there had been a breach but that it only impacted Dubai, and those Dubai patients who had some identity information stolen had been notified.
On September 1, the threat actors dumped the remainder of the data they had exfiltrated from the specialty eye hospital.
Inspection of the newest data dump reveals that a lot of the files concerned business functions and personnel — resumes, credentials, and related personnel files. While Moorfields had previously indicated that they were contacting patients whose information may have been involved, they did not mention what they were doing about all the doctors and staff whose information was accessed, acquired, and now dumped.
While DataBreaches.net did not see any evidence that an EHR system had been acquired and dumped, the dumped data did include patient information. As noted at the time of the first data dump, there were spreadsheets for scheduling purposes that included patients’ names, time of appointment, ID number, diagnosis, tests run, and insurance information. But there were also other kinds of files containing patient information, and some were more detailed records with relevant medical history. DataBreaches.net also noted patient referral forms with personal and medical information on named patients.
A separate file contained more than 1,100 photocopies of patients’ passports.
And as is too often the case, some of the stolen files were old patient-related records. In this case, there were insurance billings for some patients, and billings to clients of the hospital in 2015 and 2016 such as a police department, an embassy, a major oil company, and an airline. The entities were billed for services provided to their named employees/patients. Other files were from even earlier years.
DataBreaches.net does not know the notification laws that would apply to this breach, although Dubai law appears to follow GDPR and incorporate some aspects of the CCPA.
DataBreaches.net sent an email inquiry to Moorfields yesterday to ask what they were doing in response to this latest dump, but has received no reply by the time of this publication. This post may be updated if a reply is received.
Palo Alto Networks’ Unit 42 Blog has a recent write-up on AvosLocker, and SuspectFile has more on the new variant of the locker, .avos2.