Ransomware Group Publishes Stolen Medical Data

(TNS) — Though Tri-City Medical Center got its operations back up and running 17 days ago, ransomware extortion efforts appear to be ongoing against the Oceanside hospital.

Earlier this week, a cybersecurity expert noted in a message on X, formerly called Twitter, that “INC RANSOM”, a well known group of cyber extortionists, announced its possession of records stolen from the health care provider on the dark web, an anonymous corner of the Internet where such information is often bought and sold.

The post includes “proof” in the form of eight printed pages presumably taken from Tri-City during the digital attack that severely impacted the public hospital district’s operations starting on Nov. 9. On Nov. 27, the organization reported that it had once again started accepting all ambulance traffic and was conducting elective surgeries postponed during the attack.

Posted records include two prior authorization forms, paperwork used to ask health insurance companies to OK specific procedures for specific patients whose names, phone numbers and other identifying information is listed. Financial records are also included in the small batch of documents, though there is no indication of just how many records are in the attacker’s possession.

The announcement is posted to a “mirror” site on the regular Internet site and, while The San Diego Union-Tribune found and visited the site to verify the presence of such records, it will not link to or otherwise share the site publicly to avoid disseminating stolen information.

Asked for comment on the matter Thursday morning, Tri-City, as of noon Friday, provided no response.

The documents posted by the ransomware group are not necessarily evidence that hackers gained access to Tri-City’s electronic medical records system where super-sensitive data such as patient progress notes, test results and medical imaging reside.

It is possible for hackers to get a lot of personal information without accessing medical record repositories. Scripps Health, for example, was forced to notify nearly 150,000 of its patients in 2021 that some of their private information had been compromised during the month-long ransomware attack that severely degraded its operations. While information said to include addressees, dates of birth, health insurance information, medical record numbers, patient account numbers and the names and dates of treatments were taken, Scripps said medical records remained private.

But it is clear that a notice popping up on a dark web site is a sign that hackers are still squeezing an organization.

Such posts, said Jake Milstein, a cybersecurity advisor at Critical Insight, a Seattle-based information security consulting firm, are intended to put pressure on organizations to pay a ransom to avoid a bigger and more damaging data dump. And even if an organization pays an initial ransom request, that does not necessarily mean a second attempt will not be made.

And, he added, a new wrinkle has appeared in these types of attacks. In addition to threatening to publish stolen private documents, ransomware groups have also started using the private information contained in those documents as leverage, sometimes calling the patients whose records they have taken and making very specific demands.

“The bad guys will start calling patients and saying, ‘hey, I see that you had plastic surgery, you had a colonoscopy, you had heart surgery,'” Milstein said. “‘If you don’t want us to do something bad with your data, here’s the phone number for the CEO of the hospital, call them and tell them to pay the ransom.'”

That approach, he said, has surfaced in breaches across many organizations from medical providers to K-12 schools, though another expert said that these scenarios are “extremely” unusual.

In all cases, he said, regular people who find themselves on the phone with a person asking them to call the organization that has been attacked should be aware that doing so will not change the outcome. Even when a second ransom is paid, he said, sensitive data is still often sold to the highest bidder.

“They should remember that when they get on the phone, they’re talking to a terrorist,” Milstein said. “It’s best not to talk to the bad guy, nothing good will come of it, and it’s best to report it to the hospital and the local police.”

Given what has been posted online in relation to Tri-City, the consultant said that people who recently had care there should operate under the assumption that some of their personal information was caught up in the breach.

The key for anyone at risk of having medical information in the hands of cyber criminals is that such information, if eventually sold, is often used to fuel health care billing fraud. It may be used to impersonate a patient and bill health insurance companies or Medicare for services never provided.

“If you have a flexible spending account or a health savings account, you should check it and make sure that everything that is being charged there is legitimate,” Milstein said. “You can also request a copy of your medical record from your medical provider and make sure that everything in there is something that you did.

“You should repeat those checks in six months and again in a year.”

Credit cards are another significant area of potential concern. Stolen information can be used to apply for additional credit cards in a victim’s name, allowing criminals to run up large bills that come crashing down when collections agencies begin calling about purchases that the victim never made.

It is possible to contact credit agencies and “freeze” a person’s credit, indicating that no new credit cards should be issued under a person’s name without their explicit say so. While this can make certain activities, such as taking out a loan for a home or a car a bit more cumbersome, the benefits of locking things down in this way, Milstein said, can pay off big, especially for kids.

“If you have children who have visited that medical organization, you should absolutely freeze their credit,” he said. “You know, if you have a nine-year-old, for example, they’re not going to need to apply for a credit card for several years, and that means, if something happens, you may not find out about it for years.

“The criminals count on that; they count on you not knowing what happens with your child’s credit, so they look for those minor accounts and try to use them.”

The San Diego Cyber Center of Excellence also reminds everyone that digital hygiene is paramount. The organization emphasizes four practices that can significantly decrease the surface area available for attack:

  • Turn on multifactor authentication – opt-into the extra step when trusted websites and applications ask you to confirm you’re really who you say you are.
  • Update your software – in fact, turn on automatic software updates if available. Bad actors exploit flaws in the system and network defenders are working hard to fix them, but their work relies on all of us updating our software with the latest fixes.
  • Think before you click – if it looks phishy, it likely is and phishing schemes are only getting more sophisticated with AI.
  • Use strong passwords and a password manager – using and reusing easy passwords (1234…) is like locking your door, but hanging the key on the doorknob.

©2023 The San Diego Union-Tribune, Distributed by Tribune Content Agency, LLC.