Breach Notification
,
Fraud Management & Cybercrime
,
Healthcare
Cybercriminal Gang Money Message Claims Credit, Publishes Stolen Records
A Massachusetts hospital is notifying 316,000 people that their information was compromised in a cyberattack discovered nearly a year ago on Christmas 2023. Cybercriminal group Money Message had claimed that it stole 600 gigabytes data in the incident, posting patient and employee records on the gang’s dark website back in January.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
Anna Jaques Hospital, which is based in Newburyport and is part of the much larger Boston-based Beth Israel Lahey Health healthcare system, told Maine state regulators on Dec. 5 that it experienced an cybersecurity incident on its network on or about Dec. 25, 2023, which temporarily disrupted some of its IT systems.
As of Tuesday, the Anna Jaques incident had not yet appeared to be posted on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing breaches affecting 500 or more individuals.
Anna Jaques in an updated public statement issued on its website last week said it had first posted a notice about the incident on Jan. 24, while the hospital was conducting its investigation, “out of abundance of caution.”
But the updated notice says Anna Jaques on Nov. 5 just finally completed its “thorough forensic investigation and manual document review” determining that certain files containing information were “accessed” by an unauthorized party.
The hospital’s notice does not mention that data was also allegedly stolen in the incident and published on Money Message’s dark web blog site. Those leaked documents include employee disciplinary records, patient vaccine, medical imaging orders and diagnoses, and files containing other detailed information.
Anna Jaques said in its breach notice that compromised information varies per individual but may include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information.
Upon detecting the incident, the hospital said it “contained the network,” launched an investigation and notified law enforcement. “Anna Jaques has no indication that there has been any fraud as a result of this incident,” the notice said.
An attorney representing Anna Jaques in the breach report did not immediately respond to Information Security Media Group’s request for additional details about the incident and for comment on Money Message’s claims.
Extended Breach Analysis
Some experts said that based Anna Jaques’ statements, the analysis of data compromised in the incident appears to have taken an unusually long time.
“An entire year for a forensic investigation is unheard of. In my experience, the longest investigations ran four to five months and those involved millions of users, which isn’t the case with this attack as reported,” said Jeff Wichman, director of incident response at security firm Semperis, and a former ransomware negotiator.
While Anna Jaques’ breach notice said the hospital engaged third-party cybersecurity experts to assist in handling the incident, many other not-for-profit organizations often have a difficult time with cyber staffing, said Paul Underwood, vice president of security at web hosting firm Neovera.
This includes the ability to hire the number of security individuals needed to help maintain, operate and hunt for threats that discover malicious actors with access to their environments, Underwood said.
“With the limited staffing some of these not-for-profit companies have, it’s difficult to add additional analyst work to their current day-to-day operations, so organizations are at the mercy of what their insurance companies bring in for investigation assistance or they hire third parties to provide these analysis services,” he said.
What’s unclear from Anna Jaques’ statement so far are other factors that might have contributed to the lengthy analysis to determine the information compromised in the incident, other experts said.
“What we don’t know, however, is what logging was available to determine which systems or data was impacted,” said Scott Weinberg, Neovera CEO.
“It’s possible that the ransomware attackers left a minimal or perhaps even a corrupt trail of evidence behind them, making it extremely difficult to determine what was viewed or downloaded.”
Wichman said he’s not surprised the attack last year on Anna Jaques took place during the holiday season. In fact, a recent Semperis holiday ransomware report shows that on average, 72% of companies – and 74% of healthcare sector entities – have been hit by ransomware on holidays and weekends.
Because Money Message published Anna Jaques’ information on its dark web back in January – where it remained posted as of Tuesday, it also appears the hospital did not engage in negotiations with the threat actors.
“Overall, there are times when organizations have a hard-and-fast rule not to engage with attackers. I don’t think it is beneficial to have that stance because the forensic investigation could have been shortened by at least understanding from the negotiation phase what the attacker may have stolen,” Wichman said.