Ransomware crooks steal 3m+ patients’ sensitive info • The Register

Ransomware crooks steal 3m+ patients’ sensitive info • The Register


Several California medical groups have sent security breach notification letters to more than three million patients alerting them that crooks may have stolen a ton of their sensitive health and personal information during a ransomware infection in December.

According to the Southern California health-care organizations, which include Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical, the security breach happened around December 1, 2022. 

“After extensive review, malware was detected on some of our servers, which a threat actor utilized to access and exfiltrate data,” according to a notice posted on Regal’s website and filed with the California Attorney General’s office [PDF]. 

The medical outfit said it hired third-party incident responders to assist and worked with security vendors to restore access to its systems and determine what data was impacted.

Judging from the filings with various state and federal agencies, the news wasn’t good. 

Extortionists stole, among other things, from the medical groups: patients’ names, social security numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and phone numbers.

And according to the US Department of Health and Human Services, which is investigating the database breach, it affected 3,300,638 people. 

“Regal is taking steps to notify potentially impacted individuals of this breach to ensure transparency,” the company’s notification stated, adding it notified law enforcement and regulatory agencies about the ransomware attack.

Regal did not immediately respond to The Register‘s questions, including who is responsible for the attack and how they gained entry, how much money the crooks demanded and whether the health network paid the ransom.

As is typically the case in these types of incidents, the medical groups say they will pay for affected customers to receive one year of Norton LifeLock credit monitoring. They also urged patients to register a fraud alert with various credit bureaus, and closely monitor account statements as well as explanation of benefit forms.

While it’s unclear who is responsible for the cyberattack — several ransomware gangs like to target healthcare facilities because the crooks assume the orgs will pay up — it’s worth noting that in late January the FBI said it shut down Hive’s ransomware network, seizing control of the notorious gang’s servers and websites.

Hive had a particular affinity for hospitals, and in April, the US Health and Human Services agency warned health-care orgs about Hive, which it described as an “exceptionally aggressive” threat to the health sector. 

The takedown was the culmination of a seven-month covert operation during which the FBI infiltrated Hive’s network and used that access to provide decryption keys to more than 300 victims, saving them $130 million in ransomware payments, we’re told. The Feds also distributed another 1,000 decryption keys to previous Hive victims.

During a press conference announcing the takedown and availability of the decryption keys, US Attorney General Merrick Garland said Hive’s most recent victim in the central district of California was pwned around December 30, 2022. ®

You May Also Like…