Article Details

Rhysida pwns two US healthcare orgs, extracts over 300K patients' data. Terabytes of sensitive info remain available for download. Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients. Kansas-based Sunflower Medical Group and Rhode Island's Community Care Alliance (CCA) both disclosed separate attacks. Sunflower said in a letter to affected individuals that intruders on its network weren't detected for nearly a month. Miscreants wormed their way in on December 15, but their activity wasn't discovered until January 7. During that time, they stole data including names, addresses, dates of birth, Social Security Numbers (SSN), driver's license numbers, medical information, and health insurance information. Not all individuals would have had all these data types stolen – it varies from patient to patient. Sunflower told Maine's Attorney General's Office that 220,968 people were affected. The organization, which runs four facilities across the Kansas City metro, didn't mention ransomware in its disclosure or letters to victims, but the day it detected the intrusion was the same day the Rhysida gang claimed responsibility. NHS probes dodgy APIs Across the pond, the UK's National Health Service (NHS) is reportedly also looking into its own security issue. TEISS reported on Thursday that a software developer raised concerns over poorly secured APIs in software used by private healthcare supplier Medefer. The source claimed the weaknesses had been present for around six years and could have exposed patient data to prying eyes, if the snooper knew where to look. Medefer denied that the issues could have led to a data leak of any kind. The API flaws were reported in November last year and fixed within 48 hours. There is no evidence to suggest that any data was compromised, per an external security audit, which was ordered in late February but remains ongoing. Sunflower still appears on Rhysida's leak site, which purportedly offers 7.6 TB worth of data, including a 3 TB SQL database. The criminals claimed the stolen data comprises more than 400,000 identity documents and SSNs. The second US org, Community Care Alliance (CCA), was attacked over four days in July 2024, and like Sunflower, its official disclosure doesn't mention ransomware, despite Rhysida also claiming responsibility. CCA determined after a six-month investigation that names, addresses, dates of birth, driver's license numbers, and SSNs were stolen. Medical data was also lifted and this included diagnoses and conditions, lab results, medications, patient ID numbers, health insurance information, provider names, and other treatment information. This broadly tracks with the sample of data leaked on Rhysida's website, which also appears to show internal documents such as invoices and budgets were taken too. Additionally, the criminals claim the terabytes of data on offer also include credit card information, although we haven't reviewed the full dataset to confirm the validity of that statement. CCA, which runs various health services and programs across more than ten sites around Rhode Island, told Maine's Attorney General's Office that more than 114,000 people were affected in total. Sunflower said in its letter to victims that it has no evidence to suggest the data compromised during its incident was misused in any way. CCA made no statement about whether the same could be applied to its patients. Victims of both attacks have nevertheless been offered the usual credit monitoring services for one year and were advised to remain vigilant to any hijinks involving their data, such as fraud attempts and other scams. Both Sunflower and CCA promised victims that their respective security systems have been fortified to reduce the risk of future breaches and, in typical attack-disclosure fashion, stated that they take data security extremely seriously.