The healthcare data breach at Montgomery General Hospital (MGH) in West Virginia is a story of twists and turns. We don’t yet know how many individuals have been affected, or the precise types of information compromised since MGH is still investigating. But the attackers have published at least some of the stolen data on the Dark Web. Both patients and employees have been affected.
The Story From the Hackers at Donut Leaks
The breach was first reported by DataBreaches.net on April 2, 2023. DataBreaches.net became aware of the breach because one of the hackers emailed them with a link to the Donut Leaks ransomware group’s leak site on the Dark Web.
Read the story as told by DataBreaches.net because they were communicating directly with a member of Donut Leaks – the inside back and forth is fascinating. When asked how the hackers had gained access they replied “via Microsoft Exchange exploit.”
The hackers provided chat logs between Donut Leaks and MGH which line up, at least in part, with MGH’s own public description of the event (see below). From DataBreaches.net:
“The chat began on March 5 when someone showed up claiming to be a member of MGH’s executive team. D#nut’s negotiator (“d0nut”) told MGH: We are here to inform you that we have infiltrated your network and stayed there for 3 days (it was enough to study your documentation and gain access to your files and services). Also we have downloaded personal data related to your patients, employees and management. Since your business provides critical services and its infrastructure necessary for ordinary people health, we decided not to crypt or damage your network. But we still have downloaded sensitive data from there, so we could make a deal.”
The story continues with weeks of discussion and negotiation between MGH and the hackers. Donut Leaks reportedly demanded a $750,000 ransom and after the hospital refused to comply, the hackers finally published the data on March 31, 26 days after negotiations started.
According to DataBreaches.net, the published data they saw contained “employee-related files with personnel and payroll information for former and current employees, such as Social Security numbers, pay rate, etc., patient files with medical histories, diagnoses, treatment plans, test results, and health insurance billing records with policy information, dates of services, CPT codes, and amounts charged.”
Montgomery General Hospital Explains
The hospital discovered “irregular activity” on its IT network on February 28, and says “a ransomware incident” occurred on March 1, according to Information Security Group. MGH immediately engaged a security firm and reported the incident to the FBI and the Department of Homeland Security. The incident began with an email phishing attack – several servers on their network containing mostly historic “institutional data” were locked by the attack.
MGH did not pay the $750,000 ransom in part because “the data was so old that it wasn’t worth paying”. In addition, law enforcement had advised against paying ransom. Note this description of the data doesn’t mesh with the data viewed by DataBreaches.net, described above. However, MGH’s and law enforcement’s investigations are not finished, and the information may change as more is learned.
Although the breach has not yet been reported to HHS, MGH intends to report it and notify affected individuals in coming days.
Security Rule Checklist Can Prevent Cyber Attacks
The two explanations about how the attack occurred “via phishing email” and “via Microsoft Exchange exploit” could be the same or overlapping reasons. The investigation isn’t complete so details aren’t known. However, what is known is that a regular security risk assessment, as part of a full HIPAA Risk Analysis would detect weaknesses and help shore up defenses before an attack occurs.
Don’t wait for the dreaded ransom demand. Avoid having to engage a security firm to find out what went wrong after the fact. Avoid making that call to the FBI. Take action today to use the HIPAA Security Rule to outsmart the hackers.