Rhysida pwns two US healthcare orgs, extracts over 300K patients’ data – Source: go.theregister.com

Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients.

Kansas-based Sunflower Medical Group and Rhode Island’s Community Care Alliance (CCA) both disclosed separate attacks.

Sunflower said in a letter to affected individuals that intruders on its network weren’t detected for nearly a month. Miscreants wormed their way in on December 15, but their activity wasn’t discovered until January 7.

During that time, they stole data including names, addresses, dates of birth, Social Security Numbers (SSN), driver’s license numbers, medical information, and health insurance information.

Not all individuals would have had all these data types stolen – it varies from patient to patient. Sunflower told Maine’s Attorney General’s Office that 220,968 people were affected.

The organization, which runs four facilities across the Kansas City metro, didn’t mention ransomware in its disclosure or letters to victims, but the day it detected the intrusion was the same day the Rhysida gang claimed responsibility.

Sunflower still appears on Rhysida’s leak site, which purportedly offers 7.6 TB worth of data, including a 3 TB SQL database. The criminals claimed the stolen data comprises more than 400,000 identity documents and SSNs.

The second US org, Community Care Alliance (CCA), was attacked over four days in July 2024, and like Sunflower, its official disclosure doesn’t mention ransomware, despite Rhysida also claiming responsibility.

CCA determined after a six-month investigation that names, addresses, dates of birth, driver’s license numbers, and SSNs were stolen. Medical data was also lifted and this included diagnoses and conditions, lab results, medications, patient ID numbers, health insurance information, provider names, and other treatment information.

This broadly tracks with the sample of data leaked on Rhysida’s website, which also appears to show internal documents such as invoices and budgets were taken too. Additionally, the criminals claim the terabytes of data on offer also include credit card information, although we haven’t reviewed the full dataset to confirm the validity of that statement.

• London celebrity talent agency reports itself to ICO following Rhysida attack claims
• Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack
• Rhysida ransomware gang ships off Port of Seattle data for $6M
• Five months after takedown, LockBit is a shadow of its former self

CCA, which runs various health services and programs across more than ten sites around Rhode Island, told Maine’s Attorney General’s Office that more than 114,000 people were affected in total.

Sunflower said in its letter to victims that it has no evidence to suggest the data compromised during its incident was misused in any way. CCA made no statement about whether the same could be applied to its patients.

Victims of both attacks have nevertheless been offered the usual credit monitoring services for one year and were advised to remain vigilant to any hijinks involving their data, such as fraud attempts and other scams.

Both Sunflower and CCA promised victims that their respective security systems have been fortified to reduce the risk of future breaches and, in typical attack-disclosure fashion, stated that they take data security extremely seriously. ®