Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda

Marco A. De Felice aka amvinfe
Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 1

In September, another U.S. hospital experienced a significant cyberattack resulting in a data breach. Community Hospital of Anaconda (CHA) is one of the latest victims of the Meow Leaks group.

CHA is a private, non-profit hospital located in Anaconda, Montana. With 25 beds, it is classified as a Critical Access Hospital (CAH), meaning it provides essential care to a rural community. The hospital has been repeatedly recognized as one of the top CAHs in the United States for quality of care and patient satisfaction. It offers various medical services, including emergency care, surgery, oncology, neurology, rehabilitation, and specialist treatments. Additionally, it is accredited as a trauma facility.

In early September, Meow Leaks managed to exfiltrate at least 540 GB of PHI (Protected Health Information) and PII (Personally Identifiable Information) from the hospital’s servers, affecting both patients and employees. We know that the group attempted to contact the hospital via email but received no response. The stolen data was put up for sale on the Meow Leaks marketplace at a price of $120,000.

In addition to the 41 document copies published by the cybercriminals, SuspectFile.com was able to review the file tree containing a total of 513,910 documents, which include a large amount of PHI and PII from both patients and employees. We analyzed unpublished documents, some containing the following sensitive information:

  • Patient’s full name
  • Date of birth
  • Full address
  • Phone number
  • Email
  • Social Security Number (SSN)
  • Patient Medical Record Number (MRN ID)
  • Current Primary Care Provider ID
  • Health Insurance Records
  • Driver’s license
  • Administrative files
  • Banking documents
  • Invoices
  • Physician’s full name
  • Date of birth
  • Full address
  • Phone number
  • Email
  • SSN (Social Security Number)
  • Employee ID
  • Hire date
  • Salary
  • Hourly wage
  • Location/Department/Position
  • NPI number (National Provider Identifier, issued by the Centers for Medicare and Medicaid Services)
  • DEA number (issued by the Drug Enforcement Administration)
  • MT license number (issued by the Montana Board of Medical Examiners)
  • EPIC Provider ID (from the Epic Systems software platform)
  • TIN (Taxpayer Identification Number)

Below, we are publishing some documents already made public on Meow Leaks’ .onion site and others that we had the opportunity to review. The documents have been redacted to protect the privacy of the individuals involved.

 

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 2

Screenshot and redaction by SuspectFile.com

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 3

Screenshot and redaction by SuspectFile.com

Among the documents stored on the hospital’s servers is one dated March 8, 2011. Storing such old documents online is a common (and incorrect) practice that we frequently observe whenever we have the opportunity to review data exfiltrated from entities targeted by cybercriminals.

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 4

Screenshot and redaction by SuspectFile.com

Within the file titled “CC Patient List.xls”, we found what appears to be the total number of patients affected by the data breach, or at least the most recent number available. The last modification of the Excel document dates back to June 12, 2024, and includes a total of 7,321 patients who have received care over the years at the Community Hospital of Anaconda.

This file contains sensitive information regarding the patients and their respective healthcare providers, including:

  • Patient’s full name
  • Date of birth
  • Full address
  • Phone number
  • Email
  • Patient Medical Record Number (MRN ID)
  • MyChart Status
  • PCP name (Primary Care Provider)
  • CUR PCP PROV ID (Current Primary Care Provider ID)

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 5

Screenshot and redaction by SuspectFile.com

We were also able to analyze two similar files referring to patients treated at CHA during the period from October 2020 to February 2021, in the midst of the COVID-19 pandemic. These patients were undergoing pharmacological treatment with Remdesivir, an antiviral drug originally developed to treat Ebola, which had gained attention for its potential in treating COVID-19 during the pandemic.

The two files, titled “Remdesivir Patients with Data HIPAA.xlsx” and “Remdesivir Patients with Data.xlsx”, were compiled by healthcare providers. The first file omits any references that could identify the patient’s or physician’s names, while the second file contains this information. The initial total number of patients in both files was 52, but only 47 had been subjected to this type of treatment

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 6

Remdesivir Patients with Data HIPAA.xlsx – Screenshot and redaction by SuspectFile.com

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 7

Remdesivir Patients with Data.xlsx – Screenshot and redaction by SuspectFile.com

Among the documents reviewed, we also found those related to the staff of the Anaconda hospital, sensitive data that had not been redacted by CHA. The file we analyzed to understand how many employees might potentially have been involved in the data breach is titled “Employee List 12.31.23.xls”, with the last modification made on January 15, 2024, providing a relatively recent overview of the total number of employees.

In the first column of the file, there is a field labeled ‘Employee ID’, which is an identification number assigned to each employee hired over the years at CHA. We found the first employee hired in November 1984, who was assigned Employee ID ‘1’, and the most recent employee hired in January 2024, who was assigned Employee ID ‘2290’. Therefore, we can almost certainly establish that the total number of employees hired by CHA since the hospital began operations is 2,290, and as of January 15, 2024, the total number of active employees was 495, excluding those who are no longer with the organization.

Meow Leaks Breach: A Look into the Impact on Community Hospital of Anaconda 8

Screenshot and redaction by SuspectFile.com

Before publishing this article, we attempted to contact CHA. We sent an email to the Chief Executive Officer and cc’d the Chief Nursing Officer, Director of Human Resources and Marketing, Assistant to the VP of Finance, and Pintler Family Medicine, requesting a statement regarding the incident. This inquiry was made considering that, to date, there is no public announcement on the hospital’s website concerning the data breach and the resulting exposure of sensitive information from both patients and employees.

As a healthcare provider subject to HIPAA (the Health Insurance Portability and Accountability Act of 1996), which is a federal law focused on safeguarding patient health information and enhancing the portability of health insurance, the organization is legally obligated to report any significant breaches of patient data to the U.S. Department of Health and Human Services (HHS). This includes cases where the breach affects more than 500 individuals.