Breach Notification , Cybercrime as-a-service , Fraud Management & Cybercrime
Hawaii Clinic Notifies 124,000 of Hack Credited to LockBit
Data Leak Preceded Law Enforcement Crackdown on Group That Targets Health SectorA Maui, Hawaii community clinic is notifying nearly 124,000 patients that their sensitive information was potentially compromised in a May data theft incident. LockBit 3.0 took credit for the hack, claiming to have published the stolen data on its leak site in June - several months before global authorities this week announced a crackdown on the cybercriminal group.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
Community Clinic of Maui, Inc., which does business as Mālama I Ke Ola Health Center and operates its main clinic in the town of Wailuku, reported the hack to Maine state regulators on Sept. 26. The incident as of Wednesday did not appear to have been posted on the U.S. Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
This week, several law firms - including Schubert Jonckheer & Kolbe LLP and Edelson Lechtzin LLP - were investigating the breach for potential class action lawsuits against Mālama.
An attorney representing Mālama in the breach incident did not immediately respond to Information Security Media Group's request for comment and for additional details about the attack.
Breach Details
Mālama in its breach notice said that on May 7 it experienced a cybersecurity incident that affected connectivity to its network. Mālama notified law enforcement and worked closely with external cybersecurity experts. After an extensive forensic investigation and comprehensive document review, Mālama said it determined on Aug. 7 that personal data may have been subject to unauthorized access and acquisition between May 4 and May 7.
The information potentially compromised included first and last names, Social Security number, date of birth, driver's license number, state ID number, passport number, financial account number, routing number, bank name, credit and debit card number, card CVV, expiration date, PIN/security code, and login information.
Health information potentially compromised includes medical diagnosis, clinical information, medical treatment and procedure information, treatment type, treatment location, treatment cost, doctor's name, medical record number, patient account number, prescription information and biometric data.
Mālama said it has no evidence that any personal information has been misused for identity theft as a direct result of the incident. Individuals whose Social Security numbers were potentially impacted have been offered complimentary credit monitoring.
LockBit Crackdown
LockBit 3.0 claimed to have published the stolen Mālama data on its darkweb site on June 14.
On Tuesday, law enforcement from the United States, United Kingdom, France and Spain announced a coordinated crackdown against the Russian-speaking ransomware-as-a-service group, as well as Evil Corp (see: LockBit, Evil Corp. Targeted in Anti-Ransomware Crackdown).
Healthcare sector entities, such as Mālama, have been frequent targets for LockBit, as well as other cybercrime gangs.
But some experts predict that the law enforcement crackdown announced this week is likely to have minimal effect on the healthcare and other sectors - at least for now.
"It’s unlikely any of us will get respite from those involved with specific ransomware variants," said Raj Samani, senior vice president and chief scientist at security firm Rapid7.
LockBit has been one of the most active groups in the ransomware space for some time now, he said. "Unlike other groups we’ve seen, they have rarely paused any operations regarding the campaigns they have conducted," he said.
"Through our tracking of ransomware variants within Rapid7 Labs, we see a dynamic environment in which one group will stop its campaigns while another simply pops up and carries on. Moreover, the broader ecosystem of affiliates will invariably look for another variant to partner with," he said.
Other experts offer similar assessments. "Unfortunately, no single disruption will have a significant impact on the level of risk the healthcare sector faces from ransomware or, for that matter, ransomware levels generally," said Brett Callow, managing director in FTI Consulting’s cybersecurity and data privacy communications practice.
"However, that’s not to say that disruptions are without value as, in aggregate over time, they do have the potential to have a significant impact. And, of course, the more intelligence law enforcement obtains during the course of operations, the more it will be able to ramp up the frequency and scope of disruption activities," Callow said.
Callow said law enforcement needs more data to truly understand the impact on operations.
"To work out which strategies are working and how well they’re working, we really need a much better handle on the overall frequency and severity of incidents," he said. "Without that, law enforcement and policymakers will have only limited visibility into the effectiveness of their strategies."
More broadly, these types of crackdowns send a message to those carrying out such operations that cybercrime is not a risk-free area of crime, Samani said. "All too often, participants in digital crime consider this an area where they can continue their operations with no risk to themselves personally, which is not the case."