Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients

Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients 1

Last September, we published an article about the data breach suffered by the Physical Medicine & Rehabilitation Center, P.A. (PMRC) in Englewood, New Jersey, which was claimed by the Meow Leaks group.

In their statement on their .onion website, the cybercriminals asserted possession of Protected Health Information (PHI), Personally Identifiable Information (PII) of patients, administrative data, and employee information—over 40GB in total.

We are offering an exclusive opportunity to access over 40 GB of confidential data from The Physical Medicine Rehabilitation Center. This comprehensive collection includes sensitive information such as patient records, medical histories, doctor notes, employee data, and much more.

We can confirm that this data is still available for sale on the Meow Leaks marketplace.

Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients 2

Screenshot and redaction by SuspectFile.com

As promised, we are updating the case with any new developments.

The first update concerns the publication on the U.S. Department of Health and Human Services website, revealing that PMRC reported 4,083 individuals affected by the breach. This information was made public on October 28.

Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients 3

Screenshot and redaction by SuspectFile.com

The second update involves a possible second intrusion into the New Jersey medical center’s IT systems by another group of cybercriminals, potentially at the beginning of this month. However, SuspectFile.com has strong doubts about the likelihood of a second attack on these networks.

Instead, we believe in the possibility of a double sale of the data by the original attacker, who may have sold it to two different groups. The first is already known as Meow Leaks, while the second, which recently posted proof files on its blog within the Tor network, is a group called Kairos.

Kairos is an emerging group, though some evidence suggests activity as early as 2021. They currently list six victims on their new .onion URL, including the Physical Medicine & Rehabilitation Center, P.A.

Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients 4

Screenshot and redaction by SuspectFile.com

On its blog, the cybercriminal group claims to possess 53GB of files. The PMRC entry contains six proof files: two passports (one belonging to a New York resident, the other to a New Jersey resident), and four other documents, including:

  • A Form W-2 of an employee
  • A certificate for a “Blood Bank License”
  • A CAP IPA Provider Information Update Form for an employee
  • A certificate of participation in MLMIC’s Proactive Risk Management Course Follow-up (Medical Liability Mutual Insurance Company)

Below, we provide two examples of documents posted by the Kairos group.

Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients 5

Screenshot and redaction by SuspectFile.com

Double Data Sale? Suspicions Rise in PMRC Data Breach Involving 4,083 Patients 6

Screenshot and redaction by SuspectFile.com

We have not been able to contact the Kairos group, while we did reach out to Meow Leaks via Tox chat but have not yet received a response regarding a possible new attack against PMRC or if the exfiltrated data were simply sold to two different groups.

Additionally, we have again emailed PMRC, addressing eight of the center’s employees. In the email sent in September, where we requested their comment on the initial data theft case, despite knowing all recipients had opened and read our email, we received no response. We will update this article should they reply.