Six Healthcare Providers Added to Ransomware Data Leak Sites
Recent reports by Rapid7 and Guidepoint Security indicate the number of active ransomware groups has increased in 2024, as has the number of attacks. The healthcare industry is a prime target for ransomware groups and there has been a recent flurry of listings on ransomware groups’ data leak sites.
Surgery Center of Mid Florida
The Surgery Center of Mid Florida has recently alerted patients about a network encryption event (ransomware). The attack was detected on or around February 21, 2024, when unusual network activity was observed. The investigation confirmed file encryption, with the initial hacking occurring at its IT vendor. The hackers then used the connection with the IT vendor to launch an attack on its network.
While the investigation found no evidence that patient information was viewed or acquired by the hackers, the decision was made to notify all 48,684 patients about the attack as unauthorized data access/theft could not be ruled out. Following the attack, the Surgery Center of Mid Florida terminated its contract with the IT vendor and contracted with a new vendor. Security measures have also been enhanced on its web server infrastructure to prevent similar attacks in the future. Firewalls have been replaced and enhanced, and data has been transferred to a secure, cloud-based electronic health record system and practice management software. It is currently unclear which ransomware group is behind the attack.
Gramercy Surgery Center, New York
Gramercy Surgery Center in New York recently announced that it had fallen victim to a cyberattack, and while neither ransomware nor file encryption was mentioned in its substitute breach notice, a ransomware group has claimed responsibility for the attack and has started leaking the stolen data. Everest Team, a skilled ransomware group that has been in operation since 2020, claims to have stolen 460 GB of data in the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to Gramercy Surgery Center, the attack was discovered on June 18, 2024, and the investigation confirmed that certain documents on its network were accessed and/or copied between June 14, 2024, and June 17, 2024. Those files have been reviewed and Gramercy Surgery Center has confirmed that they contain names, addresses, Social Security numbers, dates of birth, driver’s license/state identification card numbers, medical record numbers, treatment information, and health insurance information. The types of data involved vary from individual to individual.
Gramercy Surgery Center said the investigation and response to the incident are ongoing, but steps have already been taken to improve security. The affected individuals will be notified when the file review has been completed. A HIPAA breach has been reported to the HHS’ Office for Civil Rights as affecting 50,554 individuals.
Bayhealth, Delaware
Bayhealth, a healthcare system serving patients in central and southern Delaware, has yet to confirm a data breach; however, has confirmed that it has identified suspicious network activity that disrupted certain systems. Bayhealth has confirmed that it is aware that a ransomware group claims to have stolen data and that the investigation into the incident is ongoing. That ransomware group is Rhysida.
Rhysida is known to attack the healthcare and public health sector and exfiltrates data to use as leverage to pressure victims into paying a ransom. The group often claims to sell the stolen data, although also leaks data on its dark web data leak site. Rhysida was behind the February 2024 ransomware attack on Ann & Robert H Lurie Children’s Hospital of Chicago. Rhysida added Bayhelath to its data leak site on Friday and claims to have exfiltrated sensitive data. The group says it demanded a 25 Bitcoin ransom (around $1.5 million) and has given Bayhealth 7 days to make payment, otherwise, the data will be listed for sale. The listing includes a sample of scanned passports, driver’s license cards, and other sensitive documents.
Community Care Alliance, Rhode Island
Community Care Alliance in Woonsocket, RI, does not appear to have publicly disclosed a cyberattack or data breach; however, the Rhysida ransomware group has added Community Care Alliance to its data leak site. The attack allegedly occurred on or around July 29, 2024, and Rhysida claims to have exfiltrated a 2.5 TB database in the attack that included sensitive information such as names, dates of birth, Social Security numbers, and credit card information. The listing includes a sample of scanned passports, driver’s license cards, and other sensitive documents.
Betances Health Center, New York
Betances Health Center in New York appears to have fallen victim to a ransomware/extortion attack. Betances Health Center does not appear to have publicly disclosed the attack at this point, and the data breach is not yet shown on the OCR breach portal. The Hunters International ransomware group has added the health center to its data leak site and claims to have stolen 125 GB of data, including sensitive personal and medical information. It is currently unclear how many patients have been affected.
Brookshire Dental, Texas
Brookshire Dental in Hurst, TX is an apparent victim of a Qilin ransomware attack, the same group behind the attack on the NHS pathology vendor, Synnovis that caused serious disruption to blood supplies in London. No information about the attack has been disclosed by Brookshire Dental at the time of publication and the incident is not shown on either the OCR breach portal or the website of the Texas Attorney General. According to a Qilin blog post on August 12, 2024, 96 GB of data was stolen in the attack, although at this stage no data has been made available for download.
