Crooks get their hands on 500K+ radiology patients' records in cyber-attack
Two ransomware gangs bragged of massive theft of personal info and medical files
Consulting Radiologists has notified almost 512,000 patients that digital intruders accessed their personal and medical information during a February cyberattack.
The 90-year-old Minnesota-based healthcare biz provides on-site radiology services for 22 hospitals and clinics, plus remote teleradiology for more than 100 facilities in upper Midwest America.
According to a privacy breach notification filed with the Maine Attorney General, the physician-owned operation spotted suspicious activity on its network on February 12, and shortly after "learned that an unauthorized actor accessed certain files and data stored within our network."
This included patients' names, addresses, dates of birth, Social Security numbers, and health insurance information and medical records, all belonging to 511,947 people.
"At this time, we have no evidence any of the information has been misused by a third party, but because information related to you was disclosed, we are notifying you out of full transparency," the radiology firm told patients in a notification letter [PDF].
As part of its incident response, the business hired a cybersecurity outfit to assist in its investigation, and deployed "additional monitoring tools" while it takes steps to "enhance the security of our systems." It's also offering affected individuals 12 months of free credit monitoring services.
- Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals
- Uncle Sam ends financial support to orgs hurt by Change Healthcare attack
- Amtrak confirms crooks are breaking into user accounts, derailing email addresses
- FBI encourages LockBit victims to step right up for free decryption keys
Consulting Radiologists did not immediately respond to The Register's questions about the break-in, including how the data thieves gained access to its network, if they demanded a ransom payment, and what additional security measures have been added to better protect patients' files.
Two ransomware crews, LockBit and Qilin, both claimed in April to have stolen Consulting Radiologists' data. Russia-based Qilin claimed to have made off with more than 70GB, covering 94,667 files. This is the same gang behind the Synnovis ransomware attack, which continues to cause a healthcare crisis at London hospitals.
Synnovis is a partnership between pathology services company Synlab Group and two London NHS Trusts, and in an interview with The Register, the ransomware crew said it has no regrets targeting critical services organization.
A spokesperson for the criminals said that attack was politically motivated, and when asked if they figured a healthcare crisis in the capital city would ensue, said: "Yes, we knew that. That was our goal." ®
Speaking of ransomware maniacs
LockBit has returned with a vengeance following that crew's apparent takedown by an international government effort earlier this year.
According to NCC, the gang reemerged in May with a 665 percent increase in attack volume compared to April's 176 hits. Overall, global ransomware infections increased by 32 percent month-on-month (356 to 470) and eight percent (435 to 470) year-on-year, according to NCC Group.
Still, the report cautions against simply taking the criminals at their word when it comes to intrusions. "There is some speculation that LockBit has not actually managed to recover their operations fully but is instead reposting old victims in an attempt to put forth an image of imperturbability," according to the report [PDF].
And while the claimed surge in victims suggests the group didn't simply dissolve, a la Hive following that gang's takedown, Matt Hull, global head of threat intelligence at NCC Group, said it's too soon to tell.
It's possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist," Hull opined in a memo.
"Alternatively, the group might be inflating their numbers to conceal the true state of their organization," he added.