Florida-Based mostly Drug Testing Lab Says 300,000 Affected in Hack
Healthcare
,
HIPAA/HITECH
,
Incident & Breach Response
Cybercriminal Gang RansomHub Claims It Leaked 700 Gigabytes of Lab’s Stolen Knowledge
Florida drug testing medical laboratory American Clinical Solutions told federal regulators that 300,000 individuals are caught up in a hacking incident now that criminal gang RansomHub has published 700 gigabytes worth of data stolen from the lab’s network.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
ACS, which offers affected person testing for prescription and illicit narcotics to healthcare suppliers, reported the hacking incident on July 24 to the U.S. Division of Well being and Human Providers’ Workplace for Civil Rights.
RansomHub on its darkish internet leak website claims the 700 gigabytes of knowledge stolen from ACS contains Social Safety numbers, addresses, drug take a look at outcomes, medical information, insurance coverage info and different delicate particulars. The positioning contains lab testing outcomes from January 2016 till Could 2024, the time of the alleged hacking incident.
“Details about a person’s use of opioids and medical marijuana is extraordinarily delicate,” mentioned privateness lawyer David Holtzman of the consulting agency HITprivacy LLC.
“Unprotected affected person info of this kind might trigger important reputational hurt or trigger people to be topic to compromise by way of monetary hurt, by way of extortion or threats to their skilled standing,” mentioned Holtzman.
A number of regulation companies, together with Console & Associates P.C. and Chimicles Schwartz Kriner & Donaldson-Smith have already got posted public statements on their web sites saying they’re investigating the incident for potential class motion lawsuits.
As of Monday, ACS doesn’t seem to have posted a breach notification assertion in regards to the incident on its web site. ACS additionally didn’t instantly reply to Info Safety Media Group’s request for particulars in regards to the knowledge breach.
“ACS could also be compounding the risk by not alerting sufferers to the existence of the kind or scope of the breach incident,” Holtzman mentioned. “Hopefully, these information will lead HHS or state attorneys normal to look into whether or not ACS has complied with HIPAA requirements and varied state legal guidelines regarding notices for breach notification.”
Medical organizations regulated by HIPAA usually should notify affected people inside 60 days of discovery of a protected well being info compromise.
There are a couple of restricted exceptions for that breach notification timeline. “It may very well be {that a} regulation enforcement company relayed that they need to wait or they could haven’t ascertained the whole variety of affected people,” mentioned regulatory lawyer Rachel Rose.
“Probably, there’s a dialogue happening behind the scenes,” she mentioned, referring to why ACS has not but posted a public assertion in regards to the breach. “What additionally stood out to me is that this entails drug testing, which carries a better sensitivity,” she mentioned.
Whereas ASC isn’t a substance dysfunction therapy facility – such services fall underneath the umbrella of extra stringent federal 42 CFR Half 2 privateness rules, the delicate nature of the compromised drug testing info nonetheless is regarding, she mentioned.
“Any such PHI is usually thought of extra delicate due to its nature – analogous to reproductive well being, sure illnesses comparable to AIDS, or psychological well being information,” she mentioned.
Who Is RansomHub?
RansomHub first surfaced in February and rapidly took duty for main hacks in healthcare and different sectors.
It was the second gang to demand a ransom from Change Healthcare after the corporate’s February ransomware assault by Alphv/BlackCat.
Whereas Change Healthcare’s mother or father firm admitted paying a $22 million ransom within the assault, one of many BlackCat associates behind the Feb. 21 incident claimed BlackCat directors saved everything of the ransom fee, somewhat than sharing the affiliate’s minimize.
That led to RansomHub claiming to have custody of the stolen Change Healthcare knowledge and demanding a second ransom. UnitedHealth Group has publicly mentioned it paid just one ransom within the incident (see: BlackCat Ransomware Group Seizure Appears to Be Exit Scam).
RansomHub additionally claimed to be behind a June assault on drug retailer chain Ceremony Assist, which affected the data of two.2 million people (see: Rite Aid Says Ransomware Group Stole 2.2M Customers’ Data).
Safety agency Rapid7 in a latest report called RansomHub one of the vital notable new ransomware teams.