Hackers Dump More Health Data, as Feds Share Ransomware Factsheet

February 08, 2021 - The Conti ransomware hacking group recently released two massive healthcare data dumps tied to Leon Medical Centers and Nocona General Hospital on the dark web for sale. The leaks follow a newly released National Cyber Investigative Joint Task Force (NCIJTF) ransomware factsheet.

As previously reported, Leon Medical Center confirmed data was exfiltrated by hackers during a ransomware attack in November 2020.

Around that time, Conti hackers claimed to have stolen a trove of employee and patient data from the Florida health system, including Social Security numbers, contact information, insurance details, diagnoses, treatments, and photographs.

The data was leaked online on December 21, a month after the reported malware attack, and after the health system refused to respond to the hackers’ requests. As of February 8, Conti reported it had posted about 84 percent of the data allegedly stolen from Leon Medical.

The Nocona General Hospital incident is vastly different, as the hospital claims that they’ve never received a ransomware note from the attackers. As a result, it’s unclear how the attackers obtained the data, clearly marked with Nocona labels.

READ MORE: 70% Ransomware Attacks Cause Data Exfiltration; Phishing Top Entry Point

The Conti site includes at least 20 files of data, first posted on February 3. These are labeled with various insurance names, as well as file names like mailed medical records, inventories, audits and appeals, colonoscopies, and a host of others.

Screenshots of the files shared with HealthITSecurity.com include medical request forms, complete with patient names, SSNs, signatures, dates of birth, and dates of service. If indeed Nocona was not hit with ransomware, then the data could be tied to another third-party data breach as seen in a number of reports in the last year.

“Healthcare providers in this situation are without a good option,” Emsisoft Threat Analyst Brett Callow explained to HealthITSecurity.com. “They’ve been breached and paying the ransom demand does not change that. Nor does paying the demand guarantee that the criminals will destroy the data.”

“There are multiple instances in which data ended up being posted online after the demand was paid,” he added. “However, not paying - which all but ensures PHI will leak online - is not a great option either, especially as it may further anger patients and increase the risk of lawsuits. It really is a lose-lose situation.”

Although not referenced, these breach reports come on the heels of a new NCIJTF factsheet designed to address current ransomware threats.

READ MORE: Netwalker Ransomware Site, Emotet Botnet Taken Down in Global Effort

The insights were developed by an interagency group of more than 15 government agencies to increase awareness across all sectors and was released as part of the federal government’s ransomware reduction campaign, launched in January.

Entities should leverage the insights to better understand how to both prevent a ransomware infection and mitigate successful attacks, which detail the government’s efforts to curtail the ransomware threat, as well as the key entry points of hackers.

The most common entry points are email phishing, remote desktop protocols (RDPs), and software vulnerabilities. The factsheet mirrors previous findings from Coveware, which found email phishing as the leading entry point, overtaking RDP.

That same report found that 70 percent of all ransomware attacks lead to data exfiltration.

The best way to minimize the risk of ransomware is to backup data offline, system images, and configurations, while routinely testing these systems for effectiveness. Multi-factor authentication should be employed on all relevant endpoints, and systems should be updated and patched as soon as administrators are able to apply them.

READ MORE: Key 2021 Insights: Proactive Security Needed for Ransomware, Phishing

Further, all entities need an incident response plan, which should be routinely reviewed and practiced by all workforce members.

The agencies also reminded entities that the FBI does not encourage victims to pay ransom demands, which only encourages criminals to further distribute ransomware and or fund other illicit activities.

In fact, a 2020 report from Sophos found that paying ransom demands can actually double the amount of ransomware costs and don’t ensure an easier recovery path.

Instead, impacted entities should contact the FBI to provide valuable information needed to track hackers and hold them accountable under the law.

“The unfortunate reality of any cyberattack on a healthcare system is that the data obtained is some of the most personal information available,” said Tim Mackey, Synopsys CyRC principal security strategist, in an emailed statement. “Cybercriminals know this and fully expect that their ransom demands will be met in one form or another.” 

“Since we’re dealing with cybercriminals, the public shouldn’t expect them to play fair and instead should be wary of any unsolicited or unexpected calls,” he added. “For the CISOs of hospital systems, it’s important to continually review your threat models and defensive measures.”