This article will cover what appears to be a triple cyberattack on the IT systems of Rocky Mountain Gastroenterology (RMG), a medical clinic specializing in gastroenterology with its main office in Lakewood, Colorado, and 26 operational locations. According to information gathered in recent weeks, the attack was carried out by three different cybercriminal groups.
Initial findings suggested that RMG had been targeted by only two groups, Meow Leaks and RansomHub. However, a third group was later identified thanks to a tip from Dissent at DataBreaches.net: the Trinity ransomware group.
As reported on the respective blogs of these three groups in recent days, the total amount of exfiltrated data is not uniform and varies by group:
- Trinity: 330 GB
- RansomHub: 200 GB
- Meow Leaks: over 80 GB
Currently, the Trinity blog no longer lists any of its victims, but we have confirmed two records through ransomfeed.it and ransomlook.io.
Click on the images to enlarge – Screenshot and redaction by SuspectFile.com
Recently, we reached out to the Meow Leaks and RansomHub groups via Tox chat. We asked them questions regarding the same victim being attacked three times by different groups within less than a month. We inquired whether, based on their information, these were three distinct attacks or if a single affiliate had exfiltrated data from the RMG servers and then provided it to all three groups. Lacking a direct contact, we were unable to pose the same questions to the Trinity ransomware group.
RansomHub provided us with a statement indicating that after encrypting the RMG servers, a negotiator from the medical clinic entered the chat room, but the negotiation quickly came to an end.
We encrypted them, and they visited the chat room to negotiate, but the negotiation broke down. Of course, someone else may have hit it in the same way later. They did not pay, so they don’t know how to fix their system.
Meow Leaks informed us that the source who provided them with over 80GB of data from the RMG claimed that the attack on the medical clinic’s networks is unrelated to those conducted by the other groups.
Our vendor said it was a separate hack.
We know that after data exfiltration, Trinity encrypts the systems. We have confirmation that RansomHub also encrypted the data on the RMG servers, while Meow Leaks only exfiltrates data without encrypting it.
Therefore, what truly happened to the RMG servers is still not entirely clear to us. But could there be a different truth than that told by the affiliates of the groups?
We asked a ransomware group unrelated to the events whether they believed a single person could be behind the three attacks, capable of encrypting data as both a Trinity affiliate and a RansomHub affiliate, and finally serving as a data provider for the Meow Leaks group. This is merely our hypothesis, and we do not have concrete evidence to assert it. Here’s what they responded.
Of course its possible, but its not a good way
The other aspect of this case that doesn’t entirely convince us is the blank page, with no victims listed, on Trinity’s .onion blog. A page that, at least until October 3rd, contained a list of at least ten victims, including Rocky Mountain Gastroenterology, which was listed on the blog by Trinity on September 13th. For RMG, the deadline set by Trinity before the publication of the data was October 16th, as reported in this screenshot from ransomlook.io
img: ransomlook.io – Redaction by SuspectFile.com
In recent weeks, RansomHub had leaked RMG data within the Tor networks. On September 28th, they published the .onion URL on their blog to download an archive of 68.8 GB of data, which, as we write, is still available.
Screenshot and redaction by SuspectFile.com
On October 13th, Meow Leaks published a notice in their marketplace for the sale of over 80GB of data they possessed, priced at $400,000. The group also provided a series of 30 proof files containing commercial invoices, medical reports, health insurance information, an expired 2010 passport from a Texas resident, a health insurance card from UnitedHealthcare, and other confidential documents.
Below, we present some of the documents available in the Meow Leaks group marketplace, which we have previously redacted to protect the privacy of the individuals involved, against their will.
Screenshot and redaction by SuspectFile.com (Note: Passport expired in 2010, but still present in RMG system)
Screenshot and redaction by SuspectFile.com
We provide, as an example, a portion of a medical record of a patient who received treatment at the medical clinic last July.
Redaction by SuspectFile.com
In the past few days, we have had the opportunity to review dozens of files. Below, we list the types of personal data present in an Excel file containing data that covers the period 2015/2019, ‘2Copy of [EDITED] all sites.xlsx’ (we edited part of the file as it included the name of an RMG employee).
- Patient’s Full Name
- Gender
- Date of Birth
- Full Address
- Home Phone Number
- Work Phone Number (in some cases)
- Personal Email
- Patient SSN (in some cases)
- Diagnosis
- Medication Treatment (Remicade)
- Subscriber’s Full Name / Relationship
- Health Insurance Name
- Health Insurance Policy Number
- Referring Physician’s Full Name
- RMG Provider’s Full Name
- Provider SSN
Inside the file ‘2Copy of [EDITED] all sites.xlsx’, the table labeled ‘Medicare’ shows the number of services rendered, indicating that between 2015 and 2019, there was a unique total of 169,834 patients, as reported in the table below.
Screenshot and redaction by SuspectFile.com
We find the same number of unique patients in the tables “[EDITED]_Data Entry” and “[EDITED]_Insurance Data Entry”
Screenshot and redaction by SuspectFile.com
Yesterday, we sent an email to a number of MRG employees requesting statements regarding the triple data breach. We wonder if the patients of Rocky Mountain Gastroenterology are still unaware of everything. We also question whether the Department of Health and Human Services (HHS) has already been notified of the incident, as we have previously mentioned that, in addition to PII, the PHI of tens of thousands of patients has also been affected.
Companies and organizations that collect or store personal data must notify Colorado residents if a security breach occurs that results in unauthorized access to or theft of PII or PHI.
In Colorado, the law regarding notification in the event of a theft of personally identifiable information (PII) and protected health information (PHI) is governed by the Colorado Consumer Data Protection Act and the Colorado Security Breach Notification Act. Notification must be made within 30 days of the organization becoming aware of the breach. This is one of the stricter timelines compared to other states in the U.S. If the breach involves more than 500 residents, notification must also be provided to the Colorado Attorney General’s office.
Notification Timelines to HHS:
Organizations covered by the federal HIPAA (Health Insurance Portability and Accountability Act) must follow specific procedures to notify the Department of Health and Human Services.
- Breaches involving 500 or more individuals: The organization must notify HHS without unreasonable delay and no later than 60 days from the discovery of the breach.
- Breaches involving fewer than 500 individuals: Notification must be sent within 60 days after the end of the calendar year in which the breach was discovered.
We know that at least two recipients have opened and read our email, but before the publication of our article, we have yet to receive any responses, and no announcement has been made on the Rocky Mountain Gastroenterology website.
SuspectFile.com will continue to monitor the situation and provide updates as new details emerge