An American healthcare provider whose patients’ records were allegedly published online in a ransomware attack has told patients their data is secure.
Affordacare runs an urgent care walk-in clinic network out of five locations in Texas. The organization was hit by a ransomware attack in February.
In a breach notification published on the organization’s website, Affordacare wrote: “Hackers attacked Affordacare’s servers and were able to compromise some limited, confidential information on or around Feb. 1, 2020. The hackers also installed ransomware on the servers.”
The healthcare provider said that data exposed in the incident included names, addresses, telephone numbers, dates of birth, ages, dates and locations of visits, reasons for visits, insurance plan providers, insurance plan policy numbers, insurance group numbers, treatment codes and descriptions, and comments from health care providers.
Despite refusing to pay the ransom, Affordacare told patients that “this incident did not affect your electronic health records, labs, Social Security number or any personal payment information.”
The healthcare provider said that the majority of health care records were stored in a cloud-based electronic health records system that was not affected by the incident.
Ransomware group MAZE has claimed responsibility for the February attack on Affordacare. The threat group claims to have exfiltrated more than 40 GB of data from the healthcare provider, including sensitive patient health data.
MAZE published what it claims is Affordacare data in a data dump on February 1 at http(colon)//mazenews(dot)top/site after the healthcare provider allegedly refused to pay the ransom.
After viewing the alleged Affordacare data, Emsisoft threat analyst Brett Callow told Infosecurity Magazine: “The dump includes information relating to numerous patients, including reports that were presumably requested by Affordacare from other medical practices, as well as details relating to Affordacare’s own payroll and the resumes of people who had applied for employment.”
What appear to be Affordacare patient records published online by MAZE and viewed by Infosecurity Magazine included names, Social Security numbers, and details of a testicular sonogram.
After notifying patients about the breach by letter on March 30, Affordacare stated on its website: “At this time, we do not know if your information was actually taken or misused.”