Was BrightStar Care attacked by two different groups — or was there only one breach?
It would help if BrightStar Care responded to inquiries. They didn't, but I'm confident they would like us all to know that they take privacy and security very seriously, right?
Proving once again what lying bastards they are, #LockBit hit St. Anthony Hospital (Chicago) on December 18 and exfiltrated some patient data. The hospital hasn't confirmed how much yet, and they make no mention of any #encryption of files. LockBit seems to be demanding $800k ransom/extortion to delete the files.
In the process of researching breach reports submitted to HHS, DataBreaches came across a public notice for an incident affecting Primary Health & Wellness Center, LLC in Maryland. Kudos to them for the details and transparency in their notice, although I wish they had named the group or whoever signed any ransom demand.
DataBreaches.net has not found this incident claimed by any ransomware group as yet. The incident was reported to HHS on December 17 as affecting 4,792 patients.
Here’s a great way to destroy any trust your patients might have in you. Madeleine Damo reports:
"Staff at a western Sydney radiologist – recently hit with a cyber attack – were told to tell concerned patients the breach was “an operational IT issue”, while also fielding harassing phone calls from hackers themselves."
In other words: don’t tell patients that there was a ransomware attack in which their data was encrypted and their personal and protected health information acquired by the criminals?
This is yet another example of why we need firm laws requiring more honest and full disclosures and prohibiting deception or minimization in disclosures.
Fred Hutchinson Cancer Center failed to reveal threats of potential swatting attacks until this site revealed the threat. Should they have disclosed it themselves?
If the purpose of a substitute notice under #HIPAA is to reach people the covered entity may not have sufficient or current contact information for, then burying the notice on the very bottom of the homepage and calling it a “privacy update” as if it is an update to the privacy policy is misleading at best.
Yesterday, I reported on a data breach disclosure by HMG Healthcare. You can read more here:
On Christmas Eve, Integris Health in Oklahoma was sending emails to patients and issuing notices about an attack by threat actors in November who were allegedly contacting patients directly.
According to their notices, the threat actors did not lock/encrypt anything but did exfiltrate files with #PHI
Did anyone happen to download the St. Vincent's Medical Center data from the NoEscape leak site before they pulled their exit scam?
If you have the data, please get in touch with me privately. I just want to verify if they got real data from that center and if it contained patient data. I won't be publishing or sharing any data.
If at first you don't succeed, make the same mistake again?
AlphV's leak site now lists Viking Therapeutics and a claim that they got (translated: intimidated) an employee into filing an #SEC report on his own company, saying that they violated the 4-day reporting deadline.
The listing also claims that the incident has already been reported to #HHS.
Someone really really doesn't understand these laws.... "the U.S. Securities and Exchange Commission’s (“SEC”) new Form 8-K rules for reporting material cybersecurity incidents take effect today, December 18, for filers other than smaller reporting companies. The new rules require reporting to the SEC within four business days from the determination of materiality." https://www.huntonprivacyblog.com/2023/12/18/sec-cyber-8-k-rules-effective-today/
So once again, the AlphV affiliate is trying to score points by reporting to the SEC when no reporting is required.
I've reached out to the victim firm and to the affiliate to ask some questions and will probably post something today, but for now, let's not make a bad situation worse for the victim by repeating false claims.
This leak site first opened Dec. 13. I kinda doubt this DragonForce is the Malaysian hacktivist group by the same name. Does anyone know anything about THIS "DragonForce" group? Do they lock files? I've sent them a contact request, but so far, have no info on them.
So the AHA doesn’t want hospitals to be held accountable if they fail to deploy security measures that they should deploy or if they fail to timely patch and a breach results? Even if their failures were directly exploited by hackers and did result in the success of hackers?
If we want hospitals to really comply and thereby prevent more breaches, they have to be held accountable if they ignore what they should do, shouldn't they?
It seems pretty clear from what BianLian has posted that there were TWO unrelated attacks, but Akumin has only disclosed the first attack -- even though it has issued updates since the time of the second attack.
That said: if the second attack was in November, as it allegedly was, then Akumin is still within a 60-day window from discovery to when it must notify HHS and affected patients.
But if an entity issues a press release or update that discloses one data breach but is silent on the fact that there was a second breach, too, resulting in the theft of patient data, is that a deceptive or unfair act under Section 5 of the FTC Act?
The listing for plastic surgeon Dr. Jaime Schwartz has reappeared on the Hunters International leak site. Dr. Schwartz has not responded to multiple inquiries since October about this incident and there is no substitute notice or statement on his website -- even though patient data was already being leaked.
Someone's impatient. LockBit added Pacific Cataract and Laser Institute to their leak site yesterday and the clock runs out in 2 hours.
PCLI has locations in 6 states. There is a notice on their website now that states that their communication systems and computers have been temporarily disrupted by a cyber attack.
Oh no.... The Ardent Health Services ransomware attack Thanksgiving week resulted in hospitals in multiple states diverting patients as they shut down networks to investigate and prevent spread.
The South-West Regional Health Authority (SWRHA) in Trinidad and Tobago is denying that it paid hackers millions to regain access to its data after a cyber-attack on its system in October: