The chronology of Sea Mar Community Health Center’s responses to a massive data breach suggests that they may be first learning of data dumps because of notifications by DataBreaches.net or this site’s reporting of our discoveries. If true, what does that say about their security and incident response? A DataBreaches.net commentary.
Since 2021, DataBreaches.net has been reporting on a massive breach involving Sea Mar Community Health Centers in Washington state. For almost one year now, DataBreaches.net has been contacting Sea Mar to alert them to data appearing on the internet and to ask them for a response. For more than one year, Sea Mar has not responded to a single alert or request from this site. The chronology of their public notifications, however, suggests that if it were not for this site, they might not even know that their patients’ and employees’ personal and protected health information had been dumped on the internet.
Last month, DataBreaches.net broke the story that yet another 161 GB of Sea Mar data had been leaked on the internet. The files in that leak, unlike two previous data dumps of Sea Mar data, consisted of more than 650,000 image files that, for the most part, were driver’s license images.
DataBreaches.net’s earlier coverage of prior data leaks of Sea Mar data are linked from our March article. The three leaks — one by Marketo and two by Snatch Team — all contained different files. Snatch Team would not reveal whether there were two different entities who had listed data with them at different times or if there was just one entity. Nor did Snatch Team even seem to know that the data came from Sea Mar, saying that the entity who listed the data dump with them did not indicate the source of the data. As a result, it is not clear how many threat actors or groups are in possession of the Sea Mar data or how broadly it has been circulated already.
Sea Mar has now issued another press release, stating that it has learned of additional information involved in their previously-reported incident. This additional information, they write, “may have impacted data belonging to current and former Sea Mar patients and other individuals associated with Sea Mar.” Looking at their press release below, keep in mind that DataBreaches.net first alerted Sea Mar to the Marketo leak on June 24, 2021. This site then posted updates to the incident in October, 2021 (when Sea Mar first issued a press release), and then again in January, 2022 when we discovered the first dump of 22 GB on Snatch Team, in February after Sea Mar was sued, and then again in March, when we discovered the 161 GB dump on Snatch Team.
Keeping that chronology in mind, here is Sea Mar’s newest press release (emphasis added by DataBreaches.net):
On June 24, 2021, Sea Mar was informed that certain Sea Mar data may have been copied from its digital environment by an unauthorized actor. Upon receipt of this information, Sea Mar immediately took steps to secure its environment and commenced an investigation with the assistance of leading, independent cybersecurity experts. Through the investigation, Sea Mar learned that certain data may have been copied from its digital environment between December 2020 and March 2021 and provided notification to individuals known to have been potentially impacted.
In January and March 2022, Sea Mar learned of additional data that may have been copied from its digital environment, and, upon review, identified that such data contained personal and protected health information. The additional data contained the following personal and protected health information: Name, date of birth, and, in some cases, Social Security number and/or driver’s license information.
Sea Mar has provided notice of the incident on its website to alert all potentially impacted individuals of this incident and the update related thereto. The notice includes information about the incident and steps that potentially impacted individuals can take to protect their information.
The privacy and protection of personal and protected health information is a top priority for Sea Mar, which deeply regrets any inconvenience or concern this incident may cause. Sea Mar is continuing to work with cybersecurity experts to take steps to prevent a similar incident from occurring in the future. Sea Mar has also established a toll-free call center to answer questions about the incident. Call center representatives are available Monday through Friday from 6:00 am – 3:30 pm Pacific Time and can be reached at 1-855-651-2684.
Apart from the civil lawsuits they are facing, and from a regulatory standpoint: will investigators look at why Sea Mar had so much old and unencrypted data on their system? What did their risk assessment look like for old data? What security did they have on current data? And shouldn’t they have had a system to receive and acknowledge notifications of a breach? Finally, for now: would they have even known about the data leaks if this site hadn’t discovered their data on leak sites and taken the time to alert them each time?