For a medical practice recovering from ransomware, it’s a bad sign when a Google search about your breach brings up a law firm at the top of the search results.
News of recent ransomware attacks against Southeastern Orthopaedic Specialists and Carespring by the NoEscape ransomware group just hit the DataBreaches.net website two days ago, on November 14; yesterday, The Lyon Firm published a blog noting that it’s investigating the breaches, which “potentially impacted thousands of individuals.”
The Lyon Firm is a plaintiffs’ law firm and lists class action lawsuits, data privacy, hospital data breach, and consumer protection among its practice areas. It appears the firm is evaluating the scope of the breaches and looking for individual victims to join a potential class action lawsuit.
Other plaintiffs’ law firms may follow in the coming days. When large breaches occur, several law firms typically notify the public they are looking for people whose data may have been compromised.
Only a little is known about either ransomware incident as of today. DataBreaches.net posted screenshots of the NoEscape group’s web notice, but neither healthcare organization has confirmed whether ransomware attacks occurred. Today, the only information about the cyberattacks comes from the ransomware group via DataBreaches.net.
Southeastern Orthopaedic Specialists
The NoEscape group claims it attacked Southeastern Orthopaedic in the Piedmont Triad area of central North Carolina on October 25, exfiltrating 3 GB of data. The Southeastern Orthopaedic website is not working today, perhaps indicating it was hit with a distributed denial-of-service (DDoS) attack – a high-pressure tactic cyber attackers use to force victims to pay a ransom.
Carespring provides skilled nursing, memory care, rehabilitation, and independent or assisted living services in Cincinnati, Dayton, and Northern Kentucky. The ransomware group claims it attacked Carespring on November 10, exfiltrating 364 GB.
It appears that Carespring did not give in to the ransomware group’s demands, leading them to post this additional threat:
We advise you not to bring the situation to a critical level and contact us soon is possiple (sic). If you guys continue to remain silent, we will begin to deal new blows to your network, and a data leak will entail lawsuits, proceedings, compensation payments and multimillion-dollar losses, we think you have already become familiar with the file tree, so you should understand what kind of data we have. If you do not contact us before the end of the timer, we will begin partial publication of the data. We are your last chance to get out of this situation with minimal losses. Time is running out.
NoEscape Goes After Healthcare
The Health Sector Cybersecurity Coordination Center (HC3) warned about the rise of NoEscape threats last month in an analyst note aimed at the Healthcare and Public Health sector.
NoEscape emerged in May 2023 but quickly became known for using aggressive tactics to extort victims. NoEscape is believed to be a successor of Avaddon, a ransomware group shut down in 2021. While details about the two recent attacks are unknown, NoEscape ransomware demands ranged between hundreds of thousands of dollars to over $10 million in previous attacks.
Next Steps for Carespring and Southeastern Orthopaedic
The long process of recovery is underway.
Both organizations have likely notified law enforcement. They are investigating the extent of the damage and identifying, as much as possible, whether and what type of patient information may have been compromised and, if so, patient identities.
They must notify patients, the media, and governmental authorities to comply with the HIPAA Breach Notification Rule. They must prepare to defend potential investigations from the Office for Civil Rights (OCR), which enforces HIPAA. They also need to defend the class action lawsuits likely to follow. The costs will be staggering.
Finally, depending on their internal forensic analyses, they’ll likely strengthen their cybersecurity defenses to prevent a similar attack from succeeding in the future.
We will continue to monitor news about these ransomware attacks and post updates as they unfold.