In recent days, we reported, in this article, the loss of 51GB of data from Northeast Ohio Neighborhood Health (NEON) following the cyberattack carried out on April 15th by the ransomware group Medusa. Many of these documents referenced PHI and PII of patients who had health insurance contracts with United Healthcare, thus with Optum and its subsidiary Change Healthcare.
On April 30th, all data exfiltrated from NEON servers was published by the Medusa group on their Telegram channel.
We were able to review the exfiltrated data and can confirm that the number of patients involved in the data theft is larger than previously reported (approximately 15,000). Furthermore, we can confirm that the number of documents published by Medusa with a direct link to the United Healthcare Group is significant.
However, analyzing the data proved immediately challenging. We were unable to determine an exact number of individuals affected by the data breach as the names of some patients often appeared multiple times in different files. Over the years, the same patient may have undergone various exams or medical treatments on different dates and in different NEON facilities.
In the previous article, we reported the number of patients listed in the file “NEON UDS Report_20230101_20231231_HIV Prenatal Patients.xlsx” (14247 female patients). Today, we can report the presence of a much higher number of patients affected by the data theft.
In the file “NEON UDS Report_20230101_20231231_Patients by Age and Sex.xlsx”, NEON included the names of over 23,500 patients who, from January 2023 to December 2023, received care at NEON facilities. In the file, we found 2601 references to United Healthcare insurance plans as “Primary Medical Coverage Payer”.
United Healthcare Medicaid
United Healthcare Dual Complete
United Healthcare CO
United Healthcare Student Resources
United Healthcare Medicare MA
United Healthcare Medicaid DOS
United Healthcare ABD
United Healthcare Options PPO CO
The file includes:
– First and last names of patients
– Patients’ date of birth
– Race
– Ethnicity
– Primary Medical Coverage Payer
– Primary Care Provider (PCP)
Screenshot and redaction by SuspectFile.com
Note: We have used the file “NEON UDS Report_20230101_20231231_Patients by Age and Sex.xlsx” as an example, containing data for an entire year (2023). Please note that the data pertains solely to the “sampling” conducted by NEON for the data labeled “Patients by Age and Sex”.
The number of patients involved in this file should not be considered an absolute count of individuals affected by the NEON data breach.
If we take the same file for the same period but for a different year, January-December 2021, the numbers naturally change. Therefore, it is not possible to report the absolute figure of patients involved in the data breach on April 15th. Several patients in this file may also appear in the file dated 2022-2023.
However, we are still reporting the figures present in the file “NEON UDS Report_20210101_20211231_Patients by Age and Sex.xlsx“:
Number of patients: 28995 (+5000~ compared to the year 2023)
Number of references to United Healthcare insurance plans as “Primary Medical Coverage Payer”: 2791 (+190 compared to the year 2023)
Another file that caught our attention is related to patients of Northeast Ohio Neighborhood Health, “MAT Patients Table, Updated 2023.xlsx”. The latest update of the file is dated 7.20.2023 and pertains to patients who have or have had issues with the intake of illicit or unauthorized substances. The file states “Patient to maintain abstinence from all illicit/unauthorized substances”.
In the table consisting of 579 patients, the following sensitive data is reported:
– Full name
– Date of Birth
– Date Started Program
– Status
– Dual Diagnosis
– Lab Results
– Fx of Counseling
– HCV (Hepatitis C Virus)
– Counselor’s Name
– Provider’s Name
– Patient Notes
Screenshot and redaction by SuspectFile.com
As previously anticipated at the beginning of the article, among the data exfiltrated during the Medusa ransomware group attack, we found numerous files attributable to the United Healthcare Group, such as the one we will demonstrate below. The data contained in the “United Healthcare Report – WORKBOOK.xlsx” file pertains to the year 2020. Below is the description of the content found in the file:
“The tabular view summarizes care opportunity data by Physician/LOB/Member for each HEDIS and other standardized quality measures at the episode/event level”.
The document includes:
Physicians (Name and Surname, NPI, Physician Address): 40
Total Patients (Name Surname, Member ID, Date of Birth, Race / Ethnicity, Phone): 3,802
Total Open Care Opportunities: 13,514
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
As previously stated, determining the exact number of individuals affected by the theft of their data is complicated due to numerous files containing repeated names of the same patient or employee. However, among the folders and files in the 51GB of exfiltrated data, we want to highlight the folder named “Patient_Portal_Statements.” Inside, we discovered 2,381 files with the .pdf extension containing copies of payment invoices made to Northeast Ohio Neighborhood Health for medical visits or exams conducted by patients at their facilities. We found payment documents covering the period from September 2022 to April 2024, with the last invoice dated April 12, 2024, five days before Medusa exfiltrated the data from the servers of the Cleveland-based company.
The invoices contain the following information:
– Name and surname
– Address
– Account number
– Provider’s surname
– Description of Service
– Cost of medical services
In the following, we provide two examples
Screenshot and redaction by SuspectFile.com
Instead, thanks to the content of the file “15.8b NEON_AR as of 2.14.2023.xlsx”, we can have a clearer picture of which insurance companies have entered into contracts with patients who have utilized medical facilities at NEON over the years.
In the 51GB of documents taken from the servers, there are not only PHI and PII data of tens of thousands of patients, but also a vast amount of personal information and identity and work documents, including driver’s licenses, SSNs of employees from various NEON medical facilities, and those companies that have had a collaborative relationship with NEON.
There are a total of over 100,000 files and over 4,000 folders in the 51GB of data published by Medusa, documents that the ransomware group affiliate began exfiltrating on April 17th.
Screenshot and redaction by SuspectFile.com
As of today, three weeks after the cyberattack, no statement or declaration has been published on the Northeast Ohio Neighborhood Health website informing its employees and patients about what has happened. We do not know if the data theft and its publication on a Medusa Telegram channel have been reported to law enforcement and the offices of the Attorney General.
We will update the article as soon as we are able to provide further details on the case.