KY: Paducah Dermatology Affected by Medusa Ransomware Group – Ransom Demand Stands at $100,000

KY: Paducah Dermatology Affected by Medusa Ransomware Group - Ransom Demand Stands at $100,000 1

Paducah Dermatology PLLC, a dermatology clinic in the U.S. state of Kentucky, is one of the latest medical victims of Medusa. For the deletion of the extracted documents, the ransomware group has demanded a ransom of $100,000 in bitcoin.

Headquartered in Paducah, the dermatology clinic also provides care to its patients at three other locations:

– Marshall County, KY
– Murray, KY
– Martin, TN

In recent days, the ransomware group has posted initial details about the cyberattack on the clinic’s servers on their blog within the Tor networks.

According to figures reported by Medusa, 15 GB of extracted documents would be deleted if Paducah Dermatology PLLC agrees to pay the ransom by April 13th. This is the deadline that Medusa has set for the transfer of funds to its BTC wallet.

SuspectFile.com has been able to analyze some of the extracted documents during the attack on the American clinic’s servers that occurred in the last days of March. The files contain sensitive data of both patients and employees of the U.S. dermatology clinic, including:

– Full names
– Dates of birth
– Patient’s date of death
– Addresses
– Patient insurance information
– Patient account numbers
– Reason for clinic visit
– Patient medical history
– Phone numbers
– Email addresses
– SSNs (Social Security Numbers)
– Employee salaries
– Employee hourly wages
– Employee bank account numbers
– Employee driver’s licenses
– Administrative documents

In the file “6736_paducahderm_insertReadyPatients (1) 07072021.csv”, there are 33,839 rows of data, including patient names, dates of birth, and the file is updated to 07/07/2021. This suggests that the number of patients who visited Paducah Dermatology PLLC clinics in July 2021 was nearly 34,000.

Screenshot and redaction by SuspectFile.com

In the file “MOD5181 Appointments 06092020-06142021 with pt address and insurance info on hand.xlsx”, we found a considerable amount of sensitive data pertaining to 8,282 patients. We presume that the number of patients affected by the data breach is related solely to the period from June 2020 to June 2021.

The sensitive data includes:

– Full names of patients
– Patient’s full address
– Dates of birth of patients
– Patient’s phone numbers
– Patient account numbers
– Reason for clinic visit
– Patient medical history
– Full name of the treating physician
– Name of the facility where the patient received treatment
– Name of the health insurance company

Screenshot and redaction by SuspectFile.com

In recent days, we sent an email to three physicians who were victims of the data breach. We requested comments on the case, but we have not received any responses thus far. In the file “Employee Info – DD Form 01062023.xls”, there are sensitive data of Paducah Dermatology PLLC employees, which we will list below; the number of employees listed in the Excel file is 39. The data is still in the hands of the Medusa ransomware group.

The sensitive employee data includes:

– Full name
– Date of birth
– Full address
– Email address
– Social Security Number (SSN)
– Date of employment
– Hourly wage
– Employee Roth
– Aflac Pre-tax and Aflac After tax
– Bank/institution name
– Revenue and Taxation (R&T)
– Account number

Screenshot and redaction by SuspectFile.com

Other documents found in the file tree published by Medusa, comprising over 38,000 rows of data, also include administrative documents, in addition to copies of employees’ driver’s licenses.

KY: Paducah Dermatology Affected by Medusa Ransomware Group - Ransom Demand Stands at $100,000 2
a-Employee driver’s license – Screenshot and redaction by SuspectFile.com
KY: Paducah Dermatology Affected by Medusa Ransomware Group - Ransom Demand Stands at $100,000 3
b-Employee driver’s license – Screenshot and redaction by SuspectFile.com

The cyber attack on Paducah Dermatology PLLC, resulting in the exfiltration of documents from the servers, was once again made possible due to the “superficial” management of the network. We have learned that the Medusa ransomware group gained access through the Remote Desktop Protocol (RDP), likely due to weak credentials or their theft.

Activating RDP on a system without appropriate security measures could facilitate unauthorized access. Attackers may attempt to access the system through brute force credential attacks or other techniques. Therefore, before enabling RDP on a system, it is crucial to conduct a comprehensive risk assessment and implement adequate security measures, such as multi-factor authentication, data encryption, and especially access restriction, to mitigate potential cybersecurity threats.

The question we ask ourselves when data theft of PHI and PII occurs is always the same. Have the victims been notified of the theft of their data?

We will update the article as soon as we are able to provide further details on the case.