Breach Notification , Fraud Management & Cybercrime , Healthcare
Idaho-Based Medical Center Says 464,000 Affected by Attack
Ransomware Gang ThreeAM Claims It Leaked 22 Gbytes of Kootenai Health's Stolen DataAn Idaho-based medical center is notifying more than 464,000 individuals that their sensitive information was potentially compromised in a cyberattack detected in March. Ransomware group ThreeAM claims to have leaked onto its dark web site 22 Gbytes of Kootenai Health's stolen data.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
Kootenai Health, a medical referral center with a 397-bed main hospital in Coeur d'Alene, Idaho, and more than 200 providers across two dozen clinical specialties, reported the incident on Monday to Maine's attorney general as affecting 464,088 individuals, including 83 Maine residents.
Kootenai Health said several subsidiaries - including Kootenai Clinic, Kootenai Outpatient Surgery and Kootenai Outpatient Imaging - were affected by the incident.
As of Tuesday, a Kootenai Health report about the incident had not yet appeared posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Kootenai Health in a public statement on Monday said it became aware on March 2 of unusual activity that disrupted access to certain IT systems.
"Upon discovering this activity, Kootenai Health took steps to secure its digital environment. Kootenai Health also engaged leading cybersecurity experts to assist with an investigation and to determine whether personal information may have been accessed or acquired without authorization," the statement says.
The investigation determined that a threat actor may have gained unauthorized access to certain data from the Kootenai Health network on or around Feb. 22, the statement says.
A comprehensive review of the affected data was completed on Aug. 1, and Kootenai Health said it began mailing notification letters on Monday.
Information potentially compromised includes individuals' names, birthdates, Social Security numbers, driver's license or government-issued identification numbers, medical record numbers, medical treatment and condition information, medical diagnoses, medication information, and health insurance information, the entity said.
Kootenai Health said it notified the FBI about the attack and is taking "additional steps" to help prevent a similar event in the future.
"The incident had no impact on Kootenai Health's operations or ability to serve patients and the community," Kootenai Health said in its public statement. "To date, Kootenai Health is not aware of any attempt to misuse any information potentially involved in this incident."
Kootenai Health is offering affected individuals 12 months of complimentary credit and identity monitoring.
Security firm Symantec's Threat Hunter Team, now part of Broadcom, in a report last year first identified a group calling itself ThreeAM, or 3AM, when a ransomware affiliate attempted to deploy LockBit on a target's network but was blocked.
Earlier Disclosure
On April 3, Kootenai Health posted a notice on its Facebook page publicly disclosing that in early March it had discovered suspicious activity on its IT network. "Our monitoring tools immediately quarantined the activity and we isolated all impacted systems to limit any potential impact," the post said.
"We also engaged a team of cybersecurity experts to investigate the incident and bring our systems online in a safe and secure manner," Kootenai Health said at the time.
At that point, Kootenai Health said, it was conducting a comprehensive review of the potentially affected data.
Two weeks later, on April 19, the first - and so far, as of Tuesday, the only - proposed federal class action lawsuit involving the incident was filed against Kootenai Health by a patient alleging, among other claims, that the entity was negligent in failing to protect individuals' sensitive health information, putting them at risk for identity theft and fraud crimes.
That lawsuit, filed by Sonna Griffiths on behalf of herself and others similarly situated, alleges that Kootenai Health earlier said that the breach affected 827,149 patients.
"The data breach was a direct result of defendant's failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect individuals' private Information, which defendant required plaintiff to provide to receive medical care," alleges the lawsuit complaint.
"The exposure of one's Private Information to cybercriminals is a bell that cannot be un-rung," alleges the lawsuit, which is seeking financial damages and injunctive relief including improvements to Kootenai Health's data security systems and practices.
Kootenai Health did not immediately respond to Information Security Media Group's request for additional details about the incident.