Data Breach Notification
,
Data Security
,
Fraud Management & Cybercrime
Ransomware Gang Qilin Claims to Have 42GB of Practice’s Stolen Data
Ransomware group Qilin posted at least 42 gigabytes of data stolen from a Texas pediatric orthopedic practice for sale on its darkweb leak site in February. In recent days, Central Texas Pediatric Orthopedics began notifying more than 140,000 people that their data was compromised by hackers.
Central Texas Pediatric Orthopedics reported the hacking incident to federal regulators on April 4 as involving Central Texas Pediatric Orthopedic’s network server. In an earlier breach report filed on March 6 with the Texas attorney general, the practice said the incident affected 90,000 Texas residents. The group on Monday told Maine’s attorney general the incident affected 140,121 people, including nine residents of Maine.
See Also: Top 10 Technical Predictions for 2025
Data affected by the incident includes names, government-issued ID number including passports and state ID cards, medical information, health insurance information and date of birth, according to the report filed with the Texas attorney general.
Ransomware group Qilin listed at least 3,269 files totaling 42 gigabytes of stolen data on its darkweb page, as of Feb. 25. The cybercrime gang leaked at least six passport images that allegedly were among the trove of stolen data.
In a sample breach notice provided to Maine’s attorney general, Central Texas Pediatric Orthopedics said it became aware of a security incident occurring on its network on Jan. 25.
The practice’s investigation found that an “unauthorized actor” gained access to certain systems from Jan. 23 to Jan. 26. “On Feb. 4, we discovered some of the accessed locations likely included patient information and limited information related to volunteers of CTPO,” the notice said.
Information contained in the files the cybercriminals may have “viewed or acquired” include minor’s name, date of birth and X-ray images, according to the practice.
“At this point, we have found no evidence that personal information or protected health information has been misused,” the breach notice says.
The practice said it reported the incident to the FBI and has taken steps to enhance its data security. That includes implementing additional endpoint detection and response software, resetting all passwords and rebuilding affected servers. “We will continue to assess our policies and procedures already in place for ways to defend against evolving threats,” CTPO said.
CTPO did not immediately respond to Information Security Media Group’s request for additional details about the incident, including comment on Qilin’s darkweb claims and whether the practice paid a ransom.
Dark web monitoring site DarkFeed.io counts 386 attacks by Qilin to date, as of Tuesday.
Patient Risk
Cyberattacks that compromise data related to pediatric patients are especially worrisome for those families, some experts said. “Healthcare records can be monetized more readily than those of older patients because of the pristine credit histories of children,” said Mike Hamilton, field CISO of security firm Lumifi Cyber.
“Victims may not find out until a decade or more later that their record was used to set up credit for expensive items, after which the loans go into default and the items are ‘fenced’ at a discount.”
“Without forceful deterrence from the federal government and a reevaluation of legislation – neither of which is apparently not forthcoming – both the theft of records and civil litigation will continue to plague the healthcare sector.”
—Mike Hamilton, Lumifi Cyber
As of Monday, several national class action law firms had issued public statements announcing they are investigating the CTPO incident for potential litigation.
Of course, CTPO not the only pediatric healthcare provider that has been hit with major hacking incidents in recent months and years. That includes an attack last year by ransomware gang Rhysida on Ann & Robert H. Lurie Children’s Hospital of Chicago that affected 800,000 individuals (see: Children’s Hospital Notifies 800,000 of Data Theft in Attack).
“No organization is immune from these attacks,” Hamilton said.
“The ability of the U.S. public and private sectors to resource the controls necessary to withstand these attacks is insignificant compared to the resources of organized cybercrime,” he said. “The fact that these organizations are immediately sued with a class action says more about the perverse incentives we’ve created with our laws than it does about the admonition that we are simply outgunned,” he said.
“Without forceful deterrence from the federal government and a reevaluation of legislation – neither of which is apparently forthcoming – both the theft of records and civil litigation will continue to plague the healthcare sector.”
In the meantime, organizations can take critical steps to reduce their risk of being the next victim of the kinds of attack that hit CTPO and countless other healthcare providers, Hamilton said.