Last July, the cybercriminal group Meow Leaks published on its marketplace within the Tor network the name of its new victim, The Physical Medicine & Rehabilitation Center, P.A. (PMRC), a physical medicine and rehabilitation center headquartered in Englewood, NJ, with four additional operational locations across New Jersey and New York:
- Fort Lee, NJ
- West New York, NJ
- Bardonia (Rockland), NY
- Bronx (Riverdale), NY
In the post, Meow Leaks detailed the type of information contained in the files exfiltrated from the rehabilitation center’s servers—over 40GB of PHI (Protected Health Information) and PII (Personally Identifiable Information) of patients, administrative data, and employee information. All the exfiltrated data was put up for sale at $15,000.
We are offering an exclusive opportunity to access over 40 GB of confidential data from The Physical Medicine Rehabilitation Center. This comprehensive collection includes sensitive information such as patient records, medical histories, doctor notes, employee data, and much more.
The post also included a series of five screenshots of documents as proof of the data in their possession. These images are still available on the group’s blog.
Screenshot and redaction by SuspectFile.com
One of these documents refers to a patient’s medical record, with personal details left unredacted. The document pertains to a medical center different from PMRC, where the patient had evidently sought prior medical treatment.
Below is the breakdown of the data:
➣ Patient’s full name
➣ Date of birth
➣ Referring physician
➣ Medical history
➣ Diagnosis
➣ Insurance type
Screenshot and redaction by SuspectFile.com
We had the opportunity to examine dozens of other documents exfiltrated by Meow Leaks, different from those published by the group on their marketplace last July. We can confirm that the type and amount of sensitive data related to both patients and employees are indeed vast.
➤ Patient full names
➤ Dates of birth
➤ Full addresses
➤ Phone numbers
➤ Email addresses
➤ Social Security Numbers (SSNs)
➤ Medical Record Numbers (MRNs)
➤ Individual patient medical records
➤ Clinical tests conducted on individual patients
➤ Diagnostic images of patients
➤ Medical history, treatment, and care of individual patients
➤ Patient Aging Detail
➤ Superbill/ID
➤ Patient Name/ID
➤ Payer Credit Summary
➤ Health insurance company names and numbers
➤ Supplier contracts
➤ Health Insurance Claim Form documents
➤ Full names of physicians and date of employment
➤ Dates of birth
➤ Full addresses
➤ Marital status
➤ SSNs
➤ National Provider Identifier (NPI)
➤ Life Insurance for PMRC Employees
➤ Employee email addresses
➤ Annual salary
We are aware that between July 26 and August 6, there were contacts between Meow Leaks and PMRC, a total of 11 emails.
However, there is something we find quite strange. The email address used by PMRC to communicate with Meow Leaks is not a company email but a “generic” @gmail.com address. So, we ask ourselves: why did PMRC not use the [email protected] account, the same one to which Meow Leaks had sent their first email?
Meow Leaks claims to have learned that PMRC was responding to emails not sent by them, stating that those emails had been written by scammers.
Screenshot and redaction by SuspectFile.com
In the following email, the group states that the price to remove the listing from their marketplace is set at $15,000.
Screenshot and redaction by SuspectFile.com
In the third email, PMRC requests Meow Leaks to provide a list of files or proof. They want to verify whether the spokesperson’s claims are true or if they are misleading.
Screenshot and redaction by SuspectFile.com
In the subsequent email, a series of four URLs were provided to the rehabilitation center’s contact, from which they could download a set of proof files. PMRC requests the possibility of receiving the entire file directory instead.
Screenshot and redaction by SuspectFile.com
To demonstrate that the files were in the group’s possession, Meow Leaks wrote in subsequent emails that they could modify the text of the message posted on their blog at any time and asked PMRC which words they would like added to the description. They also stated that they would not provide a complete file directory but were willing to offer further evidence and requested PMRC to choose one of the directories listed in the screenshots sent earlier. Meow Leaks questioned whether PMRC was willing to pay scammers without getting anything in return or if they would prefer to pay them to remove the files from their marketplace.
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
At this point, Meow Leaks begins to lose patience, but PMRC again requests the file directory. The group’s response in the following email remains the same: they will not provide the file directory. Part of PMRC’s subsequent response is incomprehensible and lacks logic, as the contact claims not to know the contents of the folders described in the screenshots sent by Meow Leaks, and even asks if the extracted files include PHI and PII data. This raises a question: who should know the contents of those folders if not PMRC, given that the files were extracted from their servers and are present on their employees’ computers?
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
In the penultimate email, Meow Leaks issues an ultimatum to the rehabilitation center’s contact: either purchase the data or it will be sold to others. At this point, PMRC realizes that they cannot delay any longer and requests the group provide a list of files within a specific folder.
Note: In the screenshot, we have deliberately edited the folder name as it contained the initial and full last name of a female PMRC employee.
Screenshot and redaction by SuspectFile.com
In the final email dated August 6, Meow Leaks provides the URL to download the list of files in the folder requested by the victim. The group of cybercriminals reminds PMRC that there is not much time left to decide whether to pay $15,000 for the deletion of the 40GB of data. Otherwise, the data would be sold to a client if further delays occurred.
Screenshot and redaction by SuspectFile.com
After this email, there were no further communications between the two parties. August 6 was the date on which PMRC sent a response to the Meow Leaks group. Exactly one month later, on September 6, the rehabilitation center published a statement on its website to inform its clients that it had been the victim of a data breach. Despite listing the extensive quality of the data exfiltrated, the intrusion by a group of cybercriminals, and the theft of 40GB of PHI and PII data from its servers, the statement seems to downplay the incident by referring to the cybercriminals as an “unauthorized party” and the intrusion into its IT systems and network as “unusual activity.” The statement reads:
On July 8, 2024, The Physical Medicine & Rehabilitation Center, P.A. (“PMRC”) experienced unusual activity
on our network. […][…] Our
investigation determined that certain information stored on our network was accessed by an unauthorized party
between July 8, 2024, and July 9, 2024. […]
On September 8, SuspectFile.com sent an email to PMRC requesting a statement regarding the breach. Our email was sent to 8 email addresses of the rehabilitation center and included a series of specific questions about the case. We also informed them that we would be publishing an article about the data breach in the coming days. We know that all 8 emails were opened and read, but to date, we have not received any responses.
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Returning to the 40GB of data still in the possession of the cybercriminal group Meow Leaks and the number of individuals affected by the data breach. In the images provided below, we have used one document from each of the 5 medical facilities, with 2023 as the reference year.
- Englewood: In the file titled “Patient Aging Summary Englewood run 11-1-23.pdf,” there are a total of 673 patient names, IDs, and information on the costs of medical treatments incurred.
Screenshot and redaction by SuspectFile.com
- Fort Lee: In the file titled “Patient Aging Summary Fort Lee run 11-1-23.pdf,” there are a total of 208 patient names, IDs, and information on the costs of medical treatments incurred.
Screenshot and redaction by SuspectFile.com
- Bronx (Riverdale): In the file titled “Patient Aging Summary Riverdale 11-1-23.pdf,” there are a total of 338 patient names, IDs, and information on the costs of medical treatments incurred.
Screenshot and redaction by SuspectFile.com
- Bardonia (Rockland): In the file titled “Patient Aging Summary Rockland run 11-1-23.xlsx,” there are a total of 434 patient names, IDs, and information on the costs of medical treatments incurred.
Screenshot and redaction by SuspectFile.com
- West New York: In the file titled “Patient Aging Summary WNY run 11-1-23.pdf,” there are a total of 88 patient names, IDs, and information on the costs of medical treatments incurred.
Screenshot and redaction by SuspectFile.com
Among the files reviewed, we found an Excel file (Patient Mailing List Riverdale2013-2014.xlsx) dated October 2014, which is ten years old. This file details medical visits (1493) made by patients at the Riverdale rehabilitation center from January 1, 2013, to December 31, 2014. The file contains the following sensitive data:
➤ First Name, Last Name
➤ Birth Date
➤ Gender
➤ Address
➤ City, Zip Code, State
➤ Phone Number
Screenshot and redaction by SuspectFile.com
We had also mentioned the presence of patients’ medical documents, such as test results and medical records. Below are some documents (provided as examples only) that we have edited to protect individuals’ privacy.
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
As stated at the beginning of the article, among the documents leaked by Meow Leaks in early July, there are also sensitive data of PMRC employees:
➤ First Name, Last Name
➤ Birth Date
➤ Gender
➤ Address
➤ City, Zip Code, State
➤ Phone Number
➤ Marital Status
➤ SSN
➤ Annual Salary
➤ Routing Number
➤ Account Number
All of this information, like the data in patients’ medical records, was not password-protected or edited to ensure privacy. We have provided examples of three files below, which have been edited. The first document refers to the 2022 employee census report (“Employee_Census_Report_2022.pdf”), the second to the 2022 employee earnings summary (“Employee_Earnings_Summary_2022.xlsx”), and the third to the 2022 employee email list (“Employee_EmailList11.22.2022.xlsx”).
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
After discovering the data breach, The Physical Medicine & Rehabilitation Center, P.A. stated in its September 6th announcement that:
[…] In response to this incident, we immediately began an investigation. Through our investigation we have notified law enforcement, reset account passwords, and reviewed our policies and procedures relating to this incident. We are also providing potentially affected individuals access to credit monitoring and identity protection services as an added precaution. […]
As a Covered Entity under HIPAA (Health Insurance Portability and Accountability Act), a U.S. federal law enacted in 1996 aimed at protecting patient health information and improving health insurance portability, they are also required to notify the HHS (U.S. Department of Health and Human Services) with the total number of affected individuals, which we know exceeds 500. We are confident that this requirement has been met, although as of now, the U.S. Department of Health and Human Services website has not been updated with information regarding this case.