The Akumin data breach was just the tip of a huge iceberg

The Akumin data breach was just the tip of a huge iceberg 1

Among the data exfiltrated last October by the BianLian ransomware group, there are not only hundreds of thousands of PHI (Protected Health Information) and PII (Personally Identifiable Information) of patients receiving care at facilities affiliated with Akumin Corp. (Akumin), but also those of the doctors who treated them. In the article, we will also provide a long list of hospitals and clinics where patients have undergone medical visits, diagnostic tests, and treatment.

Access to the servers on October 11 allowed BianLian to exfiltrate about 5TB of Akumin data, millions of data that the same ransomware group then decided to publish on its blog after negotiations for ransom payment yielded no results.

We had already discussed in two previous articles ( Akumin Case: BianLian Publishes Initial Proof Data on Their Blog and Akumin undergoes two cyber attacks in less than a month: thousands of PHI and PII data still in the hands of BlackSuit and BianLian ) how Akumin had managed a situation that appeared very serious from the outset and what measures it had taken to try to safeguard the interests of patients who had relied on the hospital facilities associated with it.

We also discussed the “superficial” financial management by Akumin, which forced it to declare bankruptcy on October 22, as the only way to restart its operations. This was done by entering into an agreement with Stonepeak, an investment services company, which ensured the cancellation of $470 million in debts, with the remaining loan balance converted into ordinary shares of Akumin stock, now owned by Stonepeak. This debt had reportedly begun to accumulate after the acquisition of Alliance Healthcare Services for $820 million in September 2021. We will also discuss two other hospital companies, Northeast Radiology (NERAD). We will also discuss the Steward Health Care System, LLC (Steward), and its serious financial problems.

We wonder what Akumin has done in these four months to protect the exfiltrated patient data, which, we recall, is still present on the BianLian blog. We also wonder if the total number of patients involved in the theft of PHI and PII data, declared to the HHS (7,127), is final. If so, then we would be facing a huge “transparency problem,” an inability to manage and resolve an issue that has not only created problems for Akumin itself but has also affected over 100 clinical-hospital structures and hundreds of doctors who have provided their services at Akumin partner facilities.

We have sent a series of emails to Akumin, the last on February 18, asking specific questions to the executives at the top of Akumin (President & Chief Operating Officer, Chairman & CEO, President Oncology, Chief Financial Officer, Senior VP Operations AO, VP of IT Operations). These questions have so far gone unanswered. Furthermore, Akumin’s last public statement dates back to December 29.

Over these four months, SuspectFile.com has primarily investigated six exfiltrated data files published within the TOR network by BianLian.

ADW_OncologyBrockton.csv
ADW_OncologyMosaiqChargeData.csv
dimPatients.csv
EmployeeCreditCards.csv
PatientDemographicsthru9-27-2021.xlsx
wpuser.csv

In the six files we analyzed, we found not only patient PHI and PII data but also PII data of physicians and the names of over 100 clinical-hospital structures.

By cross-referencing the data, we found a complete lack of protection. All sensitive data were unprotected. In addition, there were PII data of medical staff and the names of clinical-hospital structures for which they provide or have provided their services as providers.

Below are some examples of the types of data found in the six files:

PATIENT DATA:

Name and surname
Date of birth/Date of death
Complete address
Gender
Race
Phone number
Email
SSN (Social Security Number)
Medical diagnosis
Diagnostic tests
Medical treatment

In addition to the above, data found within two files (dimPatients.csv and wpuser.csv) exclusively refer to the diagnostic center Northeast Radiology (NERAD) with its main headquarters in Brewster, NY, and four other medical-diagnostic facilities in the states of New York and Connecticut.

Mount Kisco, NY
Brookfield, CT
Danbury, CT
Danbury (Old Ridgbury Road), CT

The data in the two files refer to patients who have used the Northeast Radiology facilities over the years. We also want to point out to the readers that much of the data contained in the two files dates back up to 10 years. Unfortunately, the practice of not deleting old data from servers has become commonplace, but it is a mistaken practice followed by most public and private hospitals.

Patient name and surname
Date of birth
Gender
Race
Address
City
Zip code
State
SSN
Email
Phone number

Furthermore, credentials, the username, and passwords are no longer usable because they have expired. These credentials allowed access to the Northeast Radiology website (https://myrecords.nerad.com) and from there to the reserved area. Patients could view and download the results of clinical-diagnostic tests performed at NERAD medical facilities.

The most recent date for credentials is July 2023. We wonder what would have happened if the cyberattack on Akumin’s servers had occurred a few months earlier.

NERAD
(1a) Screenshot and redaction by SuspectFile.com

 

NERAD
(1b) Screenshot and redaction by SuspectFile.com

The total number of individuals affected by the theft of their data in the two “NERAD” files is 413,418.

In the third file (ADW_OncologyBrockton.csv), we found 36,995 rows of data containing PHI and PII of patients and PII of the doctors who have or had treated the patients. The file contains a series of acronyms (87) used in the medical field.

DxDesc (Diagnosis Description)
DOB (Patient’s Date of Birth)
LastName (Patient’s Last Name)
FirstName (Patient’s First Name)
StaffType (Hospital Staff Department)
RefNPI (National Provider Identifier)

The file’s creator indicated “Steward” for “Location,” “Brockton” for “SourceID,” “Steward” for “ServerName,” and “Steward1” for “FacilityID.” This last piece of data indicates the Steward Health Care System, LLC.

The Akumin data breach was just the tip of a huge iceberg 2
Screenshot and redaction by SuspectFile.com

Let’s clarify that among the 36,995 rows of data, we sometimes found the name of the same patient repeated multiple times within the file. The reason for these repetitions is that during the course of treatment, the patient underwent multiple examinations or medical treatments on different dates. To better understand this, let’s provide some examples:

The Akumin data breach was just the tip of a huge iceberg 3
Screenshot and redaction by SuspectFile.com
The Akumin data breach was just the tip of a huge iceberg 4
Screenshot and redaction by SuspectFile.com

Below are the unprotected patient data present in the file:

Name and surname
Date of birth
Address
City
Zip code
State
Gender
Marital status
Religion
Diagnosis description
Types of tests performed

The Akumin data breach was just the tip of a huge iceberg 5
Screenshot and redaction by SuspectFile.com

Here are the unprotected data of the medical staff present in the file ADW_OncologyBrockton.csv:

AttLast|AttFirst (Attending Doctor)
PrimaryLast|PrimaryFirst (Primary Doctor)
MSQRefDrSpecialty
Referrer (Referrer Doctor)
ReferrerLast|ReferrerFirst (Referrer Doctor)
RefNPI (Referrer National Provider Identifier)
RefGroupName (Referrer Group Name)
RefAdd1 (Referrer Address)
ProcedureType
MedOncologist
Surgeon

The Akumin data breach was just the tip of a huge iceberg 6
(2a) Screenshot and redaction by SuspectFile.com
The Akumin data breach was just the tip of a huge iceberg 7
(2b) Screenshot and redaction by SuspectFile.com

In the two images provided above, the name of Steward is visible. However, in the Akumin file, there are over 50 different clinical-hospital facilities providing medical services in the state of Massachusetts.

In the ADW_OncologyBrockton.csv file, one of the most recurrent medical facilities is Steward. We have sent an email to them to inquire whether they were aware of the data theft and, if so, what procedures they intended to activate to protect themselves against the victims of the data breach. We have also sent emails with requests for statements regarding this matter to three other hospital facilities listed in the files that the BianLian ransomware group extracted on October 11, 2023:

– Dana-Farber Cancer Institute – Boston, Massachusetts
– Boston Medical Center – Boston, Massachusetts
– Anna Jaques Hospital* – Newburyport, MA

On January 23, 2024, Anna Jaques Hospital published this statement on its website.

[…] On or about December 25, 2023, Anna Jaques learned certain systems within our network environment were affected by a data security incident. Upon learning of the issue, Anna Jaques secured the environment and commenced an immediate and thorough investigation, which is still ongoing […] At this time, Anna Jaques’ investigation into the incident and what specific information was impacted is ongoing; however, the information may include demographic information, medical information, health insurance, and other personal or health information that you provided Anna Jacques[…]

According to the information we have and what has been revealed by a reliable source, the data breach on December 25, 2023, has nothing to do with the one on October 11 carried out by BianLian. The group claiming responsibility for the December cyberattack is Money Message. Therefore, Anna Jaques Hospital would have experienced two data thefts three months apart.

Here is another passage that we consider important from the statement published on the Anna Jaques Hospital website on January 23, as we sincerely cannot find evidence to support what has been stated, particularly regarding the best practices that all companies should have implemented beforehand in cases where sensitive data of their clients are entrusted to them.

 Anna Jaques Hospital part of Beth Israel Lahey Health (“Anna Jaques”) is committed to our patients, their treatment, and their families – as well as protecting the privacy and security of their personal information […]

As a team of dedicated and caring professionals, Anna Jaques understands the importance of safeguarding individual personal information. Anna Jaques remains fully committed to maintaining the privacy of personal information in our possession, and upon learning of the event, Anna Jaques took immediate action to protect the individual personal information it maintains. Anna Jaques continually evaluates and modifies its practices to enhance the security and privacy of personal information and are taking measures to augment its existing cybersecurity […]

The only hospital company that responded to our emails was Steward. Additionally, we can confirm that no response has been received yet, although Boston Medical Center has had the opportunity to read our email.

The Akumin data breach was just the tip of a huge iceberg 8
Screenshot and redaction by SuspectFile.com

Here is their response from Steward after one week from sending our first email.

STATEMENT FROM STEWARD HEALTHCARE
Contact: [REDACTED]
[REDACTED]@steward.org

Mr. De Felice,

Steward earnestly evaluates and addresses cybersecurity risks and ensures adherence to industry best practices and regulatory compliance. We are investigating your report relating to the Akumin incident in October 2023.

Sincerely,

Brittany Tuma
Interim Chief Compliance and Privacy Officer
Steward Health – Office of Corporate Compliance and Privacy (OCCP)
1900 North Pearl Street, 24th Floor | Dallas TX 75201

We contacted them through the person indicated in the email by the Interim Chief Compliance and Privacy Officer and asked again if they had already notified the U.S. Department of Health and Human Services (HHS) about the data breach from Akumin servers. Upon further research on this company, we became aware that Steward also has significant financial problems.

Last February, Lance Reynolds, a journalist for the Boston Herald, published an article on the financial situation and future of some medical-hospital facilities of Steward. Reynolds writes that the hospital group based in Dallas, TX, has secured…

a significant financial transaction” that an official says will “help stabilize” the company and save some of its Massachusetts hospitals from shuttering.

The Boston Herald journalist reports an optimistic statement made by the executive vice president Michael Callum, who claims that there are currently no indications suggesting the closure of any of the hospitals owned by Steward.

This funding will help stabilize operations, including the resumption of virtually all elective cases, and more importantly allows us to continue operations at all of our Massachusetts hospitals. To be clear, we have no current plans to close any of our hospitals in Massachusetts

Reynolds reports in his article other optimistic statements from the executive vice president of Steward.

The necessary capital for a robust national physician group and the time needed for Steward to consider transferring one or more of our hospitals to other operators.

We are confident that both transactions will provide us with the necessary funds to get us through this challenging time. In the meantime, we remain dedicated to serving the Commonwealth and the patients in our communities.

We wanted to better understand whether Callum’s statement truly corresponds to reality, or if the employees working at the group’s facilities and the patients who rely on their care should be concerned.

We sought to gather more information by reading the industry journal Healthcare Dive, which has been covering the issues affecting Steward’s corporate leadership, employees, suppliers, and, consequently, the patients who entrust their health to Steward Health Care System hospitals. The impression we formed is anything but positive.

In her excellent article, Susanna Vogel describes the financial situation of Steward as something “embarrassing,” to put it mildly. But let’s understand better why.

As of today, according to the owner of the hospital group, the unpaid debt would amount to over $50 million, and there are also legal cases that Steward will have to face. One of these is the lawsuit filed in the federal court of Massachusetts by Joseph Nocie, who served as the Chief Financial Officer at St. Elizabeth’s Medical Center in Brockton, MA, from May 2016 to November 2017.

Nocie, the journalist writes in the article, alleges that Steward Medical Group improperly linked a chief cardiologist’s compensation with his referrals, leading the group to award him nearly $5 million in incentive-based compensation – thereby violating the physician self-referral rules, known as the Stark Law. St. Elizabeth’s Medical Center, which employed the cardiologist, is also accused of submitting over 1,000 claims for services billed to Medicare totaling tens of millions of dollars, despite knowing that the claims were not eligible for payment.

Then there is the matter of Mass General Brigham (MGB) of Boston withdrawing its physicians from Steward’s Holy Family Hospital, which was decided by MGB’s corporate leadership last January due to serious concerns regarding the financial issues of the Dallas-based group.

The journalist’s article reports further situations that highlight the poor financial management by the corporate leadership of the Steward healthcare group and the not-so-amicable relationship with the governmental institutions of the state of Massachusetts.

We can assert that in the data exfiltrated by BianLian that we have examined over these months, the names of Steward hospital facilities recur many times, but to date, we have no information regarding notifications sent to the HHS, state Attorneys General, and especially to the patients regarding the PHI and PII data made public by the ransomware group.

The data from the fourth file we analyzed, ADW_OncologyMosaiqChargeData.csv, has been divided into specific “sections.” The person who compiled the file wanted to name them with three different “ServerName”:

Bethesda
Newburyport
Huntsville

The total number of data rows in the file is 252,942.

The Akumin data breach was just the tip of a huge iceberg 9
Bethesda-ServerName — Screenshot and redaction by SuspectFile.com
The Akumin data breach was just the tip of a huge iceberg 10
Newburyport-ServerName — Screenshot and redaction by SuspectFile.com
The Akumin data breach was just the tip of a huge iceberg 11
Huntsville-ServerName — Screenshot and redaction by SuspectFile.com

In this file, PHI and PII data of patients, as well as PII data of medical staff and the names of facilities where patients underwent diagnostic tests and cancer treatments, are also visible. The file contains 77 medical acronyms, and here are some of them:

Patient-related:

DxDesc (Diagnosis Description)
CPTGroup
CPTShortDesc
CPTDesc
DOB (Date of Birth)
Expired
SSN (Social Security Number)
LastName
FirstName
PtAddress1
Gender
Marital
PtCity
PtState
ClinicalStatus

Staff-related:

StaffID
StaffType
StaffLastName
StaffFirstName
StaffSuffix
AttendingID
AttLast
AttFirst
AttSuffix
PrimaryID
PrimaryLast
PrimaryFirst
Referrer
RefNPI
ReferrerLast
ReferrerFirst
RefAdd1
RefCity
RefState
RefZip
Location_ID
Location
Consult
MedOncologist
Surgeon

Similar to the ADW_OncologyBrockton.csv file, this spreadsheet file also contains multiple occurrences of a single patient’s name across multiple rows. This repetition is due to patients undergoing multiple medical examinations or treatments on different dates during their treatment period.

Now let’s delve into the details of each area:

Bethesda

This section contains a total of over 128,500 rows of data. The patients’ residences and the hospital facilities where the doctors work cover several American states, including Alabama, Arizona, Mississippi, Pennsylvania, Texas, and Tennessee.

The following table lists the hospital facilities where the doctors practice:

Newburyport

In this section, there are a total of over 42,400 rows of data. The hospital facilities where the doctors work, as listed in the file, pertain to the state of Massachusetts, which we detail in the table below:

In the third and final section of the file, there are over 81,900 rows of data. The hospital facilities where the doctors work, as listed in the file, are located in three American states:

Alabama
Tennessee
Texas

In the file, under the “Location” column, the phrase “The Center for Cancer Cure” is always followed by one of these three names.

  • CLEARVIEW
  • DECATUR
  • HUNTSVILLE
The Akumin data breach was just the tip of a huge iceberg 12
Screenshot and redaction by SuspectFile.com

In the fifth file, titled “PatientDemographicsthru9-27-2021.xlsx,” there are PII data of 7,043 patients, with the majority of them being residents of Arizona. Once again, sensitive data is reported in plain sight, including:

PatientID
Name and surname
Date of Birth
Address
City
Zip code
State
Gender
Marital status
SSN (Social Security Number)
Email (in some cases)
HomePhone
CellPhone (in some cases)
PrimaryLocation
ResponsibleProviderNPI
ReferringProviderNPI
CreateDate
LastVisitDate
PrimaryInsuranceName
PrimaryInsurancePolicyNumber
SecondaryInsuranceName
SecondaryInsurancePolicyNumber

Within the last file analyzed, “EmployeeCreditCards.csv,” we found references to employees of Alliance HealthCare Services, which became part of Akumin in September 2021. In this file as well, we discovered sensitive data in plaintext, without any form of protection.

The spreadsheet contains:

Employee’s name and surname
Basic Control Account Name
Card Member Number
Card Member Name
Cost Center
Employee ID
SSN (Social Security Number)
Company Name
Address
City
State
Zip code
Country State Code
Home Phone
Credit Card Type
Credit Card Expiry Date

The Akumin data breach was just the tip of a huge iceberg 13
Screenshot and redaction by SuspectFile.com
The Akumin data breach was just the tip of a huge iceberg 14
Screenshot and redaction by SuspectFile.com

The total number of Alliance HealthCare Services employees affected by the data breach is 2,137.

The Akumin data breach, as we have seen, didn’t just affect 7,127 individuals as the company has claimed so far. Instead, there are well over 500,000 individuals, including patients and employees of various hospital facilities, who have lost control over their data.

What is still alarming is the total indifference of those who should diligently safeguard the data. Even more concerning is that, after four months since the ransomware cyberattack, the real data and the actual extent of the theft are still unknown.

The data we’ve analyzed is just a drop in the ocean. It’s important to remember that BianLian exfiltrated over 5 TB of sensitive documents and images from Akumin’s servers. Millions of data items that have likely been on sale on the dark web for some time now. These documents could be used for targeted phishing campaigns, once again putting the common person at risk due to the actions of greedy and incompetent individuals.

 

SuspectFile.com would like to thank @Dissent of DataBreaches.net for the valuable assistance provided in helping us better understand the U.S. laws regulating the public and private healthcare systems.