Cyberattack roundup: DNA data auctioning and fourth-party Medicaid breach

Hospitals and health systems are tracking vulnerabilities in their network infrastructure, that of their vendors and widely used fourth-party tools. Meanwhile, bad actors are finding ways to target large organizations, regional hospitals and patients themselves.

Stolen Oklahoma patient health and DNA data 

Karakurt says on its website that has +5GB SQL data on the medical staff at McAlester Regional Health Center in Oklahoma. The personally identifiable information contains social security numbers, bank statements and invoices as well as patient health information, including medical reports and other confidential documents that have been exfiltrated, according to a report Monday on

The ransomware gang reportedly posted its plans to publish samples and then auction off the hospital’s sensitive information, which includes 40GB of genetic DNA patient records. 

Last year, the Karakurt data extortion group stole 360 gigabytes of data from Collin County, Texas-based Methodist McKinney Hospital, Methodist Allen Surgical Center and Methodist Craig Ranch Surgical Center and threatened to post it to the dark web. 

Thought to be an offshoot of Conti ransomware, Karakurt will contact victims directly and threatens to leak their data unless they pay the ransom. Karakurt has been known to harass cyber victims with both emails and phone calls for ransom demands ranging from $25K to $13M in Bitcoin, according to the report. 

Payment deadlines expire within a week of first contact with the victim, the Cybersecurity and Infrastructure Security Agency and its partners said in an advisory in June 2022. 

McAlester Regional Health Center, a Level III trauma center, has not added a statement to its website and its Facebook does not address the patient data breach or any details about the PII and PHI that was compromised.

Karakurt relocated its website to the dark web after it went offline in the spring of 2022, CISA said.

Medicare beneficiaries’ data compromised in fourth-party MOVEit attack

According to Federal News Network on Monday, the Centers for Medicare and Medicaid Services is responding to a major data breach of the personal information of Medicare beneficiaries held by its business associate, Maximus Federal Services.

The company was reportedly one of several organizations that became victims of a fourth-party ransomware attack on the MoveIT file transfer software in late May.

“The incident involved a security vulnerability in the MOVEit software, a third-party application which allows for the transfer of files during the Medicare appeals process,” the agency said in its media advisory and letter to victims posted to

“Maximus is among the many organizations in the United States that have been impacted by the MOVEit vulnerability,” the agency said.

CMS said the company notified the agency on June 2, and the ongoing investigation so far found evidence of compromise by an unauthorized party starting May 27 affecting 612,000 beneficiaries.

Through May 31, it was copying files saved in the Maximus’ MOVEit application, “but no CMS system has been compromised.”

Data included PII and medical histories, provider and prescription information, health insurance claims and subscriber information, according to CMS.

While the CMS advisory does not mention Clop, a June CISA advisory said the ransomware gang is using LEMURLOOT, a web shell written in C# that is designed to target the MOVEit Transfer platform. 

Clop exposes Ohio public healthcare program dataon the dark web

This week the Russia-linked ransomware gang also leaked a 40GB dataset that allegedly belongs to CareSource, an Ohio-based nonprofit organization providing public healthcare programs, including Medicaid, Medicare and marketplace, according to

“The cybercriminals leaked sensitive healthcare information such as drugs prescribed, risk groups and patients’ treatment details,” according to Wednesday’s report. 

CareSource was also involved in the April 2022 data breach of OneTouchPoint, a print and mail fulfillment services data breach that many healthcare organizations use, that affected millions of patients.

Clop, or Cl0p, and other ransomware gangs have mapped the healthcare sector, and they target business associates’ vulnerabilities, according to John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.

“They have figured out where the key strategic nodes are – those mission-critical third parties that have either access to bulk data, or they themselves have aggregated it,” he told Healthcare IT News in December during a conversation about federal support to fight cyberattacks on the healthcare sector.

CareSource has made no statement as of press time about the data leaked by Clop.

The Health 3rd Party Trust Initiative, which comprises a spectrum of healthcare and security organizations such as HITRUST and CORL, offered a new blueprint for third-party risk management that will hopefully help healthcare organizations and third-party vendors – like OneTouchPoint and Maximus Federal Services – to better engage on and more quickly address known vulnerabilities in managed file transfer and other tools that contain PII and PHI.

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS Media publication.


Source: Read Full Article