[BreachExchange] Hive ransomware group claims to steal California health plan patient data

[Terrell Byrd]

https://venturebeat.com/2022/03/29/hive-ransomware-group-claims-to-steal-california-health-plan-patient-data/

The Hive ransomware group, known for attacking healthcare organizations,
posted on its darkweb site that it has stolen 850,000 personally
identifiable information (PII) records from the Partnership HealthPlan of
California.

The organization’s website currently consists of a landing page that says
the health plan has been “experiencing technical difficulties,” including a
“disruption to certain computer systems.” The organization’s phone systems
have a similar message, with a recorded message saying that “all of our
systems are down, with no expected time of repair.”

“We are working diligently with third-party specialists to investigate the
source of this disruption, confirm its impact on our systems, and to
restore full functionality to our systems as soon as possible,” the health
plan said in the message on its website, which is not dated.

The Partnership HealthPlan of California says it has set up Gmail addresses
for patients and providers to contact. VentureBeat has emailed the address
for general inquiries.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said in a
message to VentureBeat that “establishing alternative communication
channels is a standard play in incident response.”

“Even if your email system is working, the attackers could have access and
be able to monitor communications,” Callow said.

The technical issues appear to have begun several days ago. The Press
Democrat reported on the issues on March 24, without mention of a
cyberattack, and indicated that the health plan has more than 618,000
members in Northern California.

The Hive ransomware group posted its claim about the stolen Partnership
HealthPlan of California data on Tuesday. The data includes 850,000 unique
PII records, such as name, social security number and address, according to
the group. The stolen data also includes 400 GB of stolen files from the
organization’s server, Hive claimed.

The ransomware group has been active since at least June 2021, which is the
first time the group posted on its “HiveLeaks” darkweb site.

Past reported ransomware attacks by Hive have included an August 2021
attack against Memorial Health System, which has hospitals in Ohio and West
Virginia, and an October 2021 attack against Johnson Memorial Health in
Indiana.

A previous alert from the FBI warned that the Hive ransomware group “likely
operates as an affiliate-based ransomware, employs a wide variety of
tactics, techniques, and procedures (TTPs), creating significant challenges
for defense and mitigation.”

“Hive ransomware uses multiple mechanisms to compromise business networks,
including phishing emails with malicious attachments to gain access and
Remote Desktop Protocol (RDP) to move laterally once on the network,” the
FBI said. “After compromising a victim network, Hive ransomware actors
exfiltrate data and encrypt files on the network. The actors leave a ransom
note in each affected directory within a victim’s system, which provides
instructions on how to purchase the decryption software. The ransom note
also threatens to leak exfiltrated victim data on the Tor site,
‘HiveLeaks.'”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220330/97505f72/attachment.html>