Fredericksburg Foot & Ankle Center informs patients about data security incident six months later
Well, pull up a cuppa and let’s have a natter about something that’s got my goat lately. You see, dodgy dealings have been afoot across the pond involving a medical practice, revealing a veritable nest of snakes in the world of cyber security.
Mark your diaries – on the 24th of October, there was a bit of a stir at the Fredericksburg Foot & Ankle Center in Virginia. The poor old chaps were forced to send out a shedload of letters to almost 15,000 of their patients, passing on the dreadfully unpleasant news that their personal data had been accessed by some uninvited internet denizen. A sticky wicket, indeed.
This “What Happened?” section of the letter was a bit scant on detail, though. Nothing about ransomware, nothing about any demand for dosh. “Due to a recent incident, an unauthorised person accessed our computer systems” is all it said. Chillingly concise.
Reading further, the folks who received the letter saw that the incident actually occurred back in April. Peculiar, isn’t it? There was a bit of a hoo-ha with legal counsel having to inform the Maine Attorney General’s Office the breach was only discovered on the 5th of September. But really, should it have been identified even earlier, around June 7? That’s when a group called LockBit3.0 put the medical practice on their leak website. It’s all a bit murky.
Oh, and here’s another weird bit. Despite setting a June payment deadline, this LockBit3.0 lot never actually exposed any of the data. Then, oddly, less than a day after the practice posted their own notice online, LockBit3.0 ended up leaking what they claim to be 1.6 TB of files from the practice. Eyeballing the data suggests they were a mix of older files from around 2003 to 2012.
What makes this all a bit more grizzly is the type of patient data that was caught up in the breach – we’re talking full names, addresses, birth dates, Social Security numbers, driver’s license numbers, clinical and health insurance information. Not the sort of stuff you want to find in the hands of strangers.
So now we all wait with bated breath for the report to appear on an HHS public breach tool. Who knows, hope could still be on the horizon – the number of patients affected might be less than those initially reported to Maine. But here’s the rub, as the leak occurred after the notifications were sent out, patients are still in the dark about whether their data actually got leaked.
All in all mate, it’s a right dog’s dinner.
by Parker Bytes