On December 9th, we had published an article discussing the Akumin case and the fact that two ransomware groups had breached their IT systems, contrary to Akumin’s claims of a single intrusion over three months.
We attempted to contact them multiple times by sending emails to top company executives, but never received any responses. We can only speculate that if they had responded, they would have likely confirmed their publicly declared stance: a single cyberattack on October 11th, implicating a sole threat actor.
It is also conceivable that maintaining the narrative of a single data breach was the agreed “course of action” among the high-ranking professionals still leading Akumin, starting with their President. Unfortunately, such clarifications were not provided to us.
We sought answers about the initial cyberattack from the ransomware group responsible, BlackSuit, but were unable to establish contact. We wished to ascertain from BlackSuit whether, following the data exfiltration, they proceeded with encrypting the data.
Regrettably, we did not receive any responses, but we believe that BlackSuit did indeed encrypt the data. The answers to our questions may lie within Akumin’s latest press release on December 6th.
[…]On October 11, 2023, Akumin was the victim of a ransomware incident, which involved an unauthorized actor using malware to lock access to some files without authorization. After identifying this matter, Akumin took its systems offline, securely restored them, and regained access to its files.[…]
These are the three points that would confirm it:
- On October 11, 2023, Akumin was the victim of a ransomware incident
- using (the threat actor) malware to lock access to some files
- (Akumin) securely restored them, and regained access to its files.
We recall that on December 6th, the date of the last press release, Akumin had already experienced a second data breach (the attack occurred in the early days of November). This time, it was orchestrated by the ransomware group BianLian, which managed to exfiltrate 5 TB of highly sensitive data. Among these were PHI (Personal Health Information) data, as we had previously noted in our initial article. However, we can assert with certainty that among the pilfered data are also copies of passports. Currently, there is no confirmation whether the stolen data also includes PHI documents of underage individuals.
It is crucial to note that, unlike the BlackSuit cyberattack on October 11th, BianLian did not proceed with encrypting the data after their exfiltration.
As mentioned earlier, this detail is significant because the cyberattack by BlackSuit on October 11th had led to a complete halt in medical services at Akumin centers (resulting in two weeks of missed patient care). MRI screenings, biopsy tests, nuclear medicine treatments, and other radiology services were affected. In contrast, the second attack on IT systems did not cause substantial disruptions to patients receiving care in Akumin medical centers. Almost all systems attacked on October 11th had been restored before BianLian targeted Akumin’s servers.
[…]Akumin has safely restored the majority of our systems. All of our locations have resumed patient care[…]
So, two situations within a completely different timeframe, with two attacks on Akumin’s servers occurring four weeks apart.
Just a few hours ago, on their blog, BianLian updated the page dedicated to Akumin. Here is what they wrote:
Definitely Akumin doesn’t care about their systems’ security at all. They’ve neglected to keep safe millions of PII and PHI records of their patients. Akumin was breached twice within a month – FACT.
Having read the Notice of Data Event on their website we now believe they are trying to publicly merge October’s attack and ours in the one. Though they know well those were two separated cases (we’ve reached their top management on the phone, via email and messengers a huge number of times).
The page has also been updated with proof data regarding some PHI (Personal Health Information) and PII (Personally Identifiable Information) documents. It includes the financial value of Akumin as of July 2023 and the financial structure of the investment firm Stonepeak Partners, which, in November, alleviated Akumin’s debt, effectively becoming its controller.
This incident prompts serious questions about what we perceive as a poor management of patient data by Akumin, where individuals seeking medical care have entrusted their data and medical history to the organization, only to have them ‘violated’ by two different groups of cybercriminals.
Personal data, including PHI and PII, should not have been handled with such negligence, lacking proper protection in the event of a cyberattack. It is no longer acceptable for patients to fear that their PHI and PII data could fall into the hands of any hacking group.
We would like to recommend to Akumin and all entities handling sensitive digital data that they prioritize the safeguarding of individuals’ privacy. This may involve substantial financial investments to secure their corporate networks and adequately train and inform their staff. We believe that having a well-prepared IT department capable of protecting the network is a priority every company should consider.
With the utmost respect, we would like to convey to Akumin that transparency in providing information to both patients and staff on matters like these should not be an option but an obligation.