Breach Notification , Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime

Ransom Paid Just Before Netwalker Gang Disrupted

Client Says Third-Party Administrator Paid for Promise to Destroy Exfiltrated Data
Ransom Paid Just Before Netwalker Gang Disrupted

A third-party claims administrator of health and social services programs for the elderly apparently paid a ransom to Netwalker attackers about a month before global law enforcement officials disrupted the gang in January.

See Also: S&P 400 Financial Services Leader's Choice for Advanced Malware Protection: A Case Study

In a breach notification provided to the California attorney general's office, Los Angeles-based Brandman Centers for Senior Care says it was informed on Jan. 23 by its health plan management services vendor, PeakTPA, of a ransomware attack on Dec. 31 affecting data of Brandman program participants.

PeakTPA "paid a ransom on Jan. 2 and received evidence that all information obtained [by attackers] was destroyed on Jan. 3," the Brandman statement notes.

In its own notice posted on its website, St. Louis, Missouri-based PeakTPA says the ransomware attack affected two of its cloud servers.

PeakTPA notes that on Jan. 27, "the criminal group behind the attack, Netwalker, was broken up by the FBI. Its leader was arrested, and its assets were seized. Still, PeakTPA has put in place more protections to prevent a theft like this from happening again."

The organization, however, makes no mention of having paid a ransom.

Exposed information may include full name, home address, date of birth, Social Security number, diagnosis and treatment information, PeakTPA says.

The company says it's offering individuals affected by the incident three years of prepaid credit and identity monitoring through Kroll.

PeakTPA did not immediately respond to an Information Security Media Group request for comment. The company provides claims management services for entities that offer comprehensive medical and social services under the Program of All-Inclusive Care for the Elderly, or PACE. Individuals' PACE program ID numbers were exposed in the breach.

Other Affected Clients

Among other PeakTPA clients issuing recent breach notification statements about the incident are Springfield, Massachusetts-based Mercy Life Inc., according to a sample notification letter provided to Massachusetts regulators, and Jonesboro, Arkansas-based St. Bernard's Healthcare.

A St. Bernard's Healthcare spokesman tells ISMG that about 500 individuals who participate in the organization's Total Life Healthcare PACE program were affected by the PeakTPA incident.

The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that PeakTPA reported the incident on March 2 as affecting 50,000 individuals.

It's unclear whether the figure reported to HHS represents all individuals affected at every PeakTPA client organization, or if additional data breaches related to the incident could be separately reported.

Gang Disrupted

The U.S. Justice Department and Bulgarian authorities on Jan. 27 announced they hadseized servers and disrupted the infrastructure and darknet websites of the Netwalker ransomware gang and also made one arrest.

Netwalker ransomware has affected numerous victims, including companies, municipalities, hospitals, law enforcement agencies, emergency services, school districts, colleges and universities, the DOJ said.

"Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims," the DOJ noted.

Vendor Incidents Climb

The PeakTPA ransomware incident joins a long and growing list of cyberattacks so far this year on vendors and business associates serving the healthcare sector (see: Hacking Incidents, Vendor Breaches Keep Surging).

For instance, the tally of healthcare organizations affected by the recent cyberattack against Accellion continues to grow.

So far, the HHS breach website shows several Accellion-related health data breaches, the largest reported by supermarket and pharmacy chain Kroger, with 368,000 individuals' protected health information affected (see: More Health Data Breaches Tied to Vendor Incidents).

The University of Colorado and the University of Miami Health System are also among the latest institutions disclosing that they were affected by the Accellion incident.

"Attacks in healthcare are only going to increase," says Ben Denkers, executive vice president of strategy and operations at security and privacy consultancy CynergisTek. "Organizations need to be diligent in understanding their threat landscape and must take into account the security posture of third-party organizations they may rely on."

With attacks on third parties surging, it's critical that healthcare organizations keep cybersecurity top of mind when giving vendors access to their systems and ensure the vendor has minimal access privileges to the administrative systems, says Monique Becenti, of security consulting firm Pondurance.

"It’s common for organizations to overlook the domain controller, which is why it is critical to keep your domain controller privileges separate from administrative privileges," she says. "That's because the domain controller has the most access to your network and user access privileges."

Lingering Risks

Despite PeakTPA paying a ransom, PACE program patients' data could still be at risk, security experts warn.

"Once the data has been exfiltrated, it becomes an impossible task to have a chain of custody," Denkers says. "There have been accounts of organizations who have paid the ransom and had expected the attackers to destroy the data, only to find out months later the data was still lurking on the dark web."

Becenti offers a similar warning. "Once an organization has been compromised, they are likely to face repeated attacks. In fact, it is common for bad actors to leave a back door easily accessible within the organization to deploy another ransomware attack in the future for an effortless monetary gain."

Healthcare providers need to understand that ransomware attacks can be a "major decoy into a much larger scheme," such as establishing remote access to medical records or sensitive patient data to sell on the dark web for a much larger payoff, she adds. "As hospitals require 24/7 patient care, it can make routine cybersecurity maintenance difficult."

Breaches compromising the data of elderly patients can be particularly damaging, Denkers notes.

"Attackers prey on the weak for a reason, as their ability to defend or even identify is often limited. Often the results of these crimes aren’t seen or felt for months."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.