The Affordacare Urgent Care Clinic, a network of medical providers based in Texas, has officially confirmed a combination data breach-ransomware attack that exposed sensitive information. The company is claiming that social security numbers were not impacted in the incident, despite security experts having demonstrated that the attackers have published stolen documents containing patients’ and employees’ SSNs.
The attack, which took place around Feb. 1, has been attributed to the Maze ransomware group, and was originally reported several weeks ago by Databreaches.net. On Tuesday, the Abilene Reporter News reported that the company, which operates five locations across West Texas, has since notified patients of the breach by letter. The report also cites a press release — which SC Media has so far been unable to obtain — in which the company states that it first learned of the incident on Feb. 4.
Affordacare also has set up an FAQ page, which says affected information includes patient name, address, telephone number, date of birth, age, date of visit, location of visit, reason for visit, insurance plan provider, insurance plan policy number, insurance group number, treatment codes and descriptions, and health care provider comments.
“However, this incident did not affect your electronic health records, labs, Social Security number or any personal payment information,” the FAQ page asserts. “The majority of your health care records are stored securely in an electronic health record system that is cloud-based. The EHR was not affected by this incident.”
But upon reporting the incident several weeks ago, DataBreaches.net published a sample of an anonymized employee’s stolen W4 form that included a Social Security number. Also, yesterday evening, Brett Callow, threat analyst at Emsisoft, sent SC Media an email containing another example — a patient’s release of medical records that clearly includes a written social security number.
Additionally, Callow sent SC Media additional documents posted on the Maze site, which appear to consists of detailed customer payment records, as well as filled-out health forms that — even if they did not come from the cloud-based electronic health record system — appear to at the very least contain protected health information.
Maze attackers typically begin publishing documents such as these on its public doxxing website if they do not receive an extortion payment from victims whose files have been encrypted and exfiltrated.
The FAQ page also does not appear to acknowledge employee data was affected, even though DataBreaches.net had previously reported that worker compensation documentation and employee payroll information were impacted. Callow also said that he found the resumes of job applicants among Maze’s data stash.
SC Media has reached out to Affordacare for comment and clarification on its various claims about the affected information.
Meanwhile, Databreaches.net has also reported that it observed a post on a Russian-language forum suggesting that Advanced Urgent Care of the Florida Keys also suffered a data exfiltration attack. The culprits behind this incident are unknown, and the Maze group reportedly denied involvement.
On its FAQ page, Affordacare says it responded to the incident by contacting federal and local law enforcement, implementing “additional safeguards to improve data security,” identifying and removing the vulnerability exploited by the attackers, and offering a year of free credit monitoring and identify theft monitoring.