Akumin undergoes two cyber attacks in less than a month: thousands of PHI and PII data still in the hands of BlackSuit and BianLian

Akumin undergoes two cyber attacks in less than a month: thousands of PHI and PII data still in the hands of BlackSuit and BianLian 1

Certainly, what the executives and employees of Akumin Inc. have been experiencing in recent weeks, but especially the patients who benefit from their services, is not something to be taken lightly. Akumin provides outsourcing radiology services to over 1,000 hospitals and healthcare systems in 48 American states, including MRI screenings, biopsy tests, and nuclear medicine treatments. This company is headquartered in Plantation, Florida.

Two cyber attacks within a very short span of weeks: the first in mid-October carried out by the BlackSuit cybercriminal group, as reported in an HHS document, and the second attack in the early days of November by the ransomware group BianLian. The latter, through their blog, claims to be in possession of millions of highly sensitive documents, totaling 5TB of data.

– Finance data
– Patients’ personal data
– Health and medical records
– Internal email correspondence
– Akumin’s software source code

Two ransomware attacks that only worsen an already challenging situation for a company forced to confront serious financial problems. The company, compelled to declare bankruptcy in order to “reboot,” has entered into an agreement with Stonepeak, an investment services company. This agreement ensured the cancellation of $470 million in debts, with the loan balance converted into ordinary shares of Akumin stocks, now owned by Stonepeak.

A debt that began to accumulate, it is claimed, after the acquisition of Alliance Healthcare Services for $820 million in September 2021. It is also worth noting that in February 2021, U.S. Attorney David C. Weiss of the Delaware District announced that Akumin Corporation and Delaware Open MRI Radiology Associates, LLC had agreed to a $749,600 settlement with the federal government to resolve allegations of healthcare fraud under the federal False Claims Act.

The Akumin Corporation was accused of healthcare fraud under the federal False Claims Act; in the rationale of the proceedings against Akumin, it is stated…

[…]Although diagnostic imaging studies are typically performed by technicians, Medicare regulations require that certain procedures be supervised by a physician who is present in the office suite during the procedure.  During an investigation of Akumin’s practices at its sites in Delaware and Texas, the government identified over 1,500 instances, most of them between 2015 and 2017, in which either no physician was present for studies that required supervision or Akumin was unable to determine whether a physician was present.[…]

Now, nearly three years later, Akumin is facing another type of problem: the theft of PHI (Protected Health Information) and PII (Personally Identifiable Information), as reported by @Dissent on DataBreaches.net’s website. Akumin had experienced its first ransomware attack on October 11, forcing the company to suspend the provision of diagnostic services to its patients. This significant disruption compelled thousands of patients to postpone their appointments, as stated by the husband of a patient to the WPTV television station in West Palm Beach, Florida. She had her follow-up appointment for a stomach cyst canceled due to the service interruption.

Who knows how many situations like this patients of diagnostic healthcare facilities affiliated with Akumin had to face during those weeks when all computer systems were offline for security reasons.

We were discussing serious issues that Akumin is experiencing due to poor financial management of its corporate capital. In the account from DataBreaches.net additional details emerge, @Dissent writes:

First Coast News in Florida reports that in an SEC 8-K filing dated October 22, 2023, Akumin CEO Riadh Zine said the company got notice from Nasdaq’s Listing Qualifications Department that Akumin’s “Common Stock’s closing bid price had been below $1 for 30 consecutive business days and that it was therefore not in compliance with Bid Price Requirement.”

But all of this was happening towards the end of October, and as the days passed, the situation evolved. In November, Akumin obtained approval from the bankruptcy court for the Stonepeak take-private agreement, agreeing to a debt-for-equity swap worth $470 million. This restructuring will make the radiology services provider private, with control of the business transferred to the investment firm Stonepeak Partners. You can read the official statement from Akumin on October 20th here.

But let’s return to the issue of data theft and the dual cyber attack that occurred in a very short period, resulting in the theft of millions of PHI and PII documents, along with administrative and financial documentation, twice by different cybercriminals.

Akumin reported that data theft occurred on October 11 and implemented necessary security procedures, including the offline status of its servers. This resulted in significant harm to patients who, from that point onward, were unable to undergo checks or assessments of their health through MRI screenings, biopsy tests, nuclear medicine treatments, and other radiology services.

In its press release on November 10, Akumin stated that it had restored the majority of its systems and that all locations had resumed patient care, with the ability to schedule patient appointments.

At this time, Akumin has safely restored the majority of our systems. All of our locations have resumed patient care and are now able to schedule patient appointments. […]

As of November 10, Akumin also declared that patients would be able to recover most of their health documentation (but not all, editor’s note).

At this time, you can retrieve most past imaging and radiology results. Since our systems are being restored with differing timelines, a limited amount of past imaging may still be currently unavailable. […]

Based on the research conducted so far, it can be asserted that in the early days of November, another ransomware group, BianLian, infiltrated Akumin’s IT systems, stealing a substantial amount of data, 5TB, as claimed by the group in a note on their website on the Tor network.

Akumin undergoes two cyber attacks in less than a month: thousands of PHI and PII data still in the hands of BlackSuit and BianLian 2
Screenshot and redaction by SuspectFile.com

On December 6, a new press release published on its website once again asserts, as it had done in previous statements, that it was hit by a single ransomware group on October 11 and never mentions a second ransomware group. However, based on the information we have gathered in recent weeks, it appears that BianLian targeted Akumin’s IT infrastructure in the early days of November, roughly a month after the BlackSuit attack.

The press release also mentions the type of data exfiltrated from Akumin’s servers.

[…]Akumin identified that patient information may have been copied, which may include one or more of the following: name, date of birth, diagnosis or condition, treatment information, and/or radiology images.[…]

On the BlackSuit website, we found no confirmation; the cybercriminal group has never listed Akumin among its victims, nor has it ever published proof data. However, it is worth remembering that, according to the hypothesis put forth by the HHS, BlackSuit is indeed the ransomware group responsible for the initial data theft that occurred on October 11.

[…]BlackSuit has only one purported victim from the HPH sector in the United States. The ransomware attack was significant, as the victim provides medical scans and radiology services for almost 1,000 hospitals and health systems in 48 states. The initial impact of the attack caused the victim to shut down computer systems and turn away patients at fixed-site locations. No further details are known at this time, although given the ubiquitous geographic presence of the victim, significant impacts could still follow.[…]

What could all this potentially mean if BlackSuit indeed targeted Akumin’s servers but never published the victim’s name on its website?

The only plausible explanation is a negotiation that concluded with an agreement between the BlackSuit ransomware group and Akumin for the payment of the ransom.

In recent days, we initially contacted the media-dedicated email ([email protected]), seeking a statement on the matter, but received no responses. Subsequently, we also reached out to Akumin’s corporate leadership (President & Chief Operating Officer, Chairman & CEO, President Oncology, Chief Financial Officer, Senior VP Operations AO, VP of IT Operations), and once again, we did not receive any responses.

But today, the only certainties we have are the millions of data in the hands of the ransomware group BianLian, including PHI and PII. It is still unclear what decision Akumin intends to take before the cybercriminals begin to release them publicly.

SuspectFile will update the article in case of new developments.