North Shore Pain Management (NSPM) based in Massachusetts started sending notifications to 12,472 patients because hackers potentially stole some of their protected health information (PHI). NSPM became aware of the breach on April 21, 2020 and its investigation confirmed the first access of their system by hackers on April 16, 2020.
NSPM posted on its website a substitute breach notice but did not provide any data with regards to the nature of the attack. Nonetheless, Emsisoft and databreaches.net affirmed the attack where AKO ransomware was used. The group that conducted the attack posted 4GB of stolen information on their Tor website because of no ransom payment.
The posted data include various sensitive data of workers and patients. The NSPM breach notice claimed that the stolen information consists of patient names, medical insurance information, account balances, birth dates, financial details, diagnosis and treatment information. Ultrasound and MRI images were likewise compromised for For several patients. Those patients using their Social Security numbers with their health insurance /member number had exposed their SSNs as well.
Because of the exposed stolen information on the web, NSPM instructed the affected patients to monitor their explanation of benefits statements and financial accounts for any sign of information misuse. NSPM provided credit monitoring and identity theft protection services at no cost to the patients whose Social Security numbers were exposed. NSPM appointed another IT management provider to reinforce its cybersecurity.
The AKO ransomware attackers are identical to gangs that deploy ransomware manually. They engaged in data theft prior to file encryption to increase the likelihood of getting ransom payment. The AKO group typically requires companies with big revenues to pay two ransom payments – one for the price tag of the decryptor and another for stolen data deletion. The cost of deleting files may be between $100,000 and $2,000,000.
The group claimed that some healthcare providers just pay the cost of deleting data. There is no confirmation if NSPM made a ransom payment.
Ransomware Attack on Florida Orthopaedic Institute
A ransomware attack on Florida Orthopaedic Institute in Tampa, FL occurred on April 9, 2020 resulting in the encryption of patient data. An internal investigation of the breach showed there was a potential theft of patients’ personal information and PHI prior to file encryption. Nevertheless, there is no report received by Florida Orthopaedic Institute regarding any patient data misuse due to the attack.
Florida Orthopaedic Institute appointed a third-party computer forensic firm to continue the investigation. Steps had already been taken to get back the encrypted data and protect its servers. The affected patients already received breach notification letters, including the offer of free fraud consultation, credit monitoring, and identity theft restoration services.
The encrypted data and possibly obtained by the attackers included the following: names, Social Security numbers, birth dates, medical information related to appointment times, diagnosis codes, doctor’s locations, paid amount, insurance plan ID numbers, payer ID numbers, claims addresses, and/or FOI claims history.
Florida Orthopaedic Institute appointed third-party experts to enhance security to avert any more cyberattacks in the future.
The HHS’ Office for Civil Rights breach hasn’t put up yet the incident details on its breach website, hence the number of impacted patients is not known at this time.