CarePartners experienced a data breach in 2018, and now the hackers are attempting to extort the Ontario-based provider for 5 bitcoins, or about $18,000, to prevent the public release of employee and patient files, according to DataBreaches.net.
In June 2018, CarePartners reported a hack on its computer system, which breached some patient data and employee files. According to the provider, just a few hundred employees and patients were impacted.
However, a month later the hacking group claimed they had thousands of patient records from the breach, including detailed medical histories, according to local news outlet CBC.
OrangeWorm shared some of the files with CBC, which appeared to be active patient credit card numbers and other files with medical data. The hacking group likely contacted CBC in an attempt to get CarePartners to pay the extortion.
The hacking group has since contacted DataBreaches.net, providing them two data dumps, one with employee financial data and the other allegedly containing the encrypted medical data of about 80,000 patients. They were able to download the file, but all of the documents are encrypted and the hackers will only release the encryption key for 5 BTC.
The second data trove contains 2.2 GB of 12,971 files, which include what appears to be employee or contractor rates and earnings.
While the data didn’t appear to be from June 2018, the files did support OrangeWorm’s claims that they had CarePartner’s company financial documents, hundreds of employee T4 statements with social insurance numbers, dates of birth, names, addresses, company banking details, accounts payable, and wire transfers.
While CarePartners has not confirmed the extortion attempt, they did update their privacy breach information page on February 4.
Extortion without ransomware is not reported often in the healthcare sector. However, in 2016 and 2017, the hacking group called the TheDarkOverLord attempted to extort multiple healthcare providers.
In response to these attempts and the increase in ransomware and DDoS attacks, the Office for Civil Rights provided guidance in January 2018 to help providers reduce extortion risk. Officials recommended organizations leverage risk analysis and management, as well as employee training and disaster recovery plans.