Getty Images/iStockphoto

Ransomware Actors Leak Data From 3 More Healthcare-Related Entities

The Avaddon, Conti, and REvil ransomware threat actors are at it again: this time leaking data from a medical center, health system, and an IT vendor with some healthcare clients.

The treat actors behind Avaddon, Conti, and REvil ransomware have yet again leaked more data from healthcare-related entities. The latest data dumps include troves of health information allegedly stolen from a medical center, a health system, and an IT vendor with some clients in the healthcare sector.

The first incident involves the REvil group and Standley Systems, a document scanning and document management solutions vendor. The hackers claim the vendor did not respond to repeated extortion attempts and have since posted a wide range of data allegedly stolen from several clients.

The screenshots shared with HealthITSecurity.com show at least seven data sets from Ellis Clinic, Enerquest, WW Steel, the Oklahoma Medical Board, Crawley Petroleum, and Chaparral Energy, with a massive set the hackers claim to have stolen from backups of the vendor’s clients.

An overview of the data claims the attackers obtained personal data from the named clients, as well as employee passports and licenses, more than 1,000 Social Security numbers, service contracts, medical documents, and other sensitive information.

Meanwhile, the Conti ransomware group posted 2 percent of the overall data they claim to have stolen from the Rehoboth McKinley Christian Health Care Services in New Mexico. The dark web posting includes files named passports, driver’s licenses, and bill of sale, among others.

An inspection of the documents already leaked online include prescriptions, patient and provider names, and complete with scanned patient identification cards. There are also scans of patient assessments for underage patients and full scans of patient treatments, diagnoses, and the like, including echocardiogram reports.

For a number of privacy concerns and unwillingness to bring attention to the Conti posting, HealthITSecurity.com will not post a link to its legitimate data leak site. But the scanned documents can be viewed in their entirety online, without restrictions and unredacted.

Lastly, in one of the most concerning leaks, Avaddon hackers posted a trove of highly sensitive information from the Capital Medical Center in Olympia, Washington. The screenshots shared with HealthITSecurity.com warns the attackers plan to dump more of the stolen data in 9 days.

The attackers appear to have hoards of scanned driver’s licenses, lab results with detailed patient information, patient procedural documents, and faxed patient documents with insurance details, contact information, provider names, and even patient assessments.

The hackers also posted scanned patient referral documents with highly sensitive patient details, as well as completed patient prescription forms and lab tests with exposed patient procedures, treatments, and diagnoses.

The leaked documents also include billing reports on Current Procedural Terminology (CPT) activities. There also appear to be files with full patient records. 

A spokesperson for Capital Medical Center reports that its security team is aware of the potential cybersecurity concern linked to the provider and it currently investigating the incident.

"We have thoroughly assessed this situation, and Capital Medical Center has not been impacted to date. At this time, we do not believe that any of our hospital systems have been compromised, and we are continuing normal operations," the spokesperson said in an emailed statement.

"We have advanced IT security and monitoring systems in place to help protect against potential cybersecurity threats – which is how we quickly became aware of this matter and took immediate action to investigate it. We are continuing to closely monitor all of our systems for any unusual activity," they added.

Overall, these leaks are a serious patient privacy concern. Federal agencies and researchers have warned that these hacking groups have ramped on their targeted attacks on healthcare since September.

While many ransomware hacking groups stick to forcing providers into EHR downtime in an effort to gain payment from a ransom demand, reports show data exfiltration occurs in 70 percent of all ransomware attacks.

Increasingly, these hackers are remaining on victims’ networks after gaining a foothold for days and sometimes weeks, gathering as much sensitive data before dropping the final ransomware payload.

And as seen in recent data dumps, some providers are not made unaware of the intrusions before the data is leaked online. The key entry point in these attacks is through phishing emails, followed by exploits of weak endpoints like the remote desktop protocol (RDP).

As previously reported, healthcare providers must take swift action to prevent joining an ever-increasing numbers of healthcare ransomware victims.

The Office for Civil RIghts, Microsoft, the FBI, NIST, and the Department of Homeland Security have all provided free ransomware guidance that can help healthcare providers plan to respond to ransomware attacks and shore up key vulnerabilities to strengthen defenses.

This story has been updated to include comments from a Capital Medical Center spokesperson, which disputes the data leak. HealthITSecurity.com is monitoring the incident and will provide further updates, as needed.

Next Steps

Dig Deeper on Healthcare data breaches