The attacks on the medical sector continue, although not all get a lot of media coverage. This week, DataBreaches.net noted the Alamance Skin Center ransomware breach which had left the medical entity with unrecoverable data on 100,000 patients. I get a knot in my stomach just thinking about breaches like that one.
Today, DataBreaches.net notes two more recent attacks on medical entities.
The first, Seeley Enterprises Company dba Seeley Medical in Ohio, reported a breach to HHS on November 6 that impacted 16,196 patients. According to a letter from their external counsel, on September 7, the home medical equipment company became aware of suspicious activity on its network. An investigation, launched promptly, revealed that its network had been infected with malware which prevented access to certain files on the system.
The malware was reportedly introduced by “an unauthorized actor who also accessed and acquired certain files within Seeley’s system.” The unauthorized access occurred between August 31 and September 7, when the attack was discovered.
The information that could have been subject to unauthorized access included name, address, phone number, medical record number, Social Security number, and prescription information.
Seeley is offering those impacted 12 months of credit monitoring services and is reviewing their policies, procedures, and processes related to storage of and access to personal information. Inquiries sent to both Seeley and their external counsel seeking more information as to what type of malware this was and whether Seeley received and/or responded to any ransom demands have not been answered by the time of this publication. This post may be updated when replies are received.
But Seeley wasn’t the only medical entity whose attack DataBreaches.net is looking into this week. Houston-based Reconstructive Orthopedic Center (ROC) suffered what appears to be a serious attack that resulted in the exfiltration of a lot of protected health information, some of which has already been dumped publicly.
ROC was attacked by the DoppelPaymer threat actors, who added ROC and a partial data dump to their dedicated leak site on November 17. From timestamps in the data dump, the data may have been exfiltrated from ROC on or before September 16.
The data dump is problematic for ROC. There are thousands of scanned patient records, in some cases with detailed medical records on named patients (e.g., one file was 131 pages of medical records that had been faxed over to ROC).
Thankfully, a lot of the files only use truncated SSN and not full SSN, but even then, there is a lot of PII and PHI involved, including therapy-related files, insurance billing data, communications from attorneys involved in injury or workers compensation cases, and more.
The scanned patient files in two folders all appear to be dated between January 1 of this year and September 15. Files in the billing folder, however, are a different story, and DataBreaches.net noted approximately 200 files related to letters of medical necessity for Medicare patients that go back to 2004. Another file also contained hundreds of older letters of medical necessity, with the filenames often revealing/embedding the patients’ names.
How many other patient files did the attackers also exfiltrate? It’s unknown to DataBreaches.net at this point, but based on the partial data dump, the attackers seem to have acquired and dumped scanned records involving thousands of patients. If the attackers did get everything — i.e., similar files for dates prior to 2020 — this could turn out to be a big-numbers breach. DataBreaches.net hopes it isn’t.
There is no notice on ROC’s web site at this time, and ROC has not responded to two email inquiries sent yesterday about the attack and data dump. This post will be updated if a response is received.