[author: Jane Anderson]

Report on Patient Privacy 24, no. 4 (April, 2024)

Cyberhackers—potentially frustrated by their limited ability to extort ransom from health care entities in attacks—have started extorting the patients themselves, threatening them with the release of information or embarrassing photos online, or even with other forms of harassment, such as multiple spam emails or threats to send law enforcement to their homes, experts said.

The tactics cropped up in multiple attacks in late 2023 and likely will accelerate this year, said Michael Hamilton, co-founder of Critical Insight and former City of Seattle chief information security officer. “This tactic doesn’t seem to be going away,” Hamilton said during a recent webinar.^[1] “This seems to be a new business model.”

One of the most recent attacks took place at Oklahoma City-based Integris Health. In that incident, some patients were contacted in December by apparent hackers who claimed to have stolen their personal information and threatened to post it on the dark web.^[2]

“In November, Integris Health, based in Oklahoma, had a ransomware attack,” said Jake Milstein, chief marketing officer for Critical Insight, to webinar attendees. “In December, criminals started emailing Integris patients. The email said: ‘We’ve contacted Integris Health, but they refuse to solve this issue. We give you the opportunity to remove your personal data from our databases before we sell the entire database to data brokers on January 5th, 2024.’ And by the way, they sent this on Christmas eve.”

Patients were told they could pay $3 to view the information and $50 to remove it, Milstein said.

Hamilton said that this represented “double-dipping” by those conducting the ransomware attack: first, the bad actors exfiltrate the data, and then they can install malware on the system. “So, having that data is an ace in the hole, right? If you have a ransom that you refuse to pay, now you can extort the entity whose data was stolen. Now, of course, they’re going one step further and leaning into the people whose data was stolen themselves.”

In an incident that occurred during the same general time frame at Fred Hutchinson Cancer Center in Seattle, patients received emails purportedly from the alleged hackers stating that their data had been stolen and “will soon be sold to various data brokers and black markets to be used in fraud and other criminal activities,” according to emails seen by The Seattle Times, which broke the story.^[3]

The email said those responsible for the ransomware attack had already been in contact with Fred Hutchinson, but the cancer center “refused to make a deal.” Fred Hutchinson said it had emailed patients urging them not to send any money to the cybercriminals and report the emails to the FBI’s internet crime center.

Ultimately, some patients also received swatting threats, in which the purported hackers warned people that they needed to pay a fee or they would be swatted, Hamilton said. In swatting, bad actors call the authorities with a fake report of a bomb threat or a shooting at the victim’s location in the hope that heavily armed law enforcement agents will show up at the victim’s door.

Bad actors also are leverage nude photos of patients to extort CEs, Milstein said. For example, Lehigh Valley Health was hit by ransomware in February 2023, and “the criminals then released photos of nude female cancer patients to try to get the organization to pay,” he said.^[4]

In another recent case, cybercriminals obtained medical records and naked patient photos from plastic surgeons in Beverly Hills, California and Las Vegas and released them online, Milstein said. In the Las Vegas breach—many of the photos, which show breasts and other sensitive areas—contain patients’ faces, and records for more than 12,000 patients may have been involved.^[5]

Why Is This Happening?

Even health care entities that are well aware of the prospect of ransomware need to have decided well in advance if they are going to pay the ransom, said Fred Langston, co-founder of Critical Insight and an incident response technical expert. “If you are [going to pay ransom], you should already have contracted with a company that will help you negotiate through the process. It’s all about being prepared, right. Most people wait until it happens, and I don’t want to be making that kind of decision while the house is burning down in front of me.”

This decision-making process reflects how difficult it would be for a patient to be confronted with a hacker’s demand, Hamilton said. In addition, he said, it’s not even clear how the patients would pay. “Are you going to give your credit card to a criminal? Could this just be a [scam] to collect credit card numbers for people that you freak out sufficiently with these threats?”

More likely, Hamilton said, the hackers attempt to get patients involved in an effort to pressure the health care entity to pay the ransom.

Michael Borgia, a cybersecurity attorney at Davis Wright Tremaine, agreed: “I think the hackers may realize you’re going to have to disclose this [breach], so you’re going to have to deal with the lawsuits anyway, but we’re going to make it extra bad for you because we’re going to freak out all of your customers and terrify them. And we’re going to try to destroy your reputation and burn you into the ground.” Health care organizations will worry about their patients being harassed by the hackers and will strive to avoid it, Borgia said during the webinar.

At the same time, direct contact with patients fuels inevitable-seeming class-action lawsuits. “I see more claims being added to them because of this, and maybe [the lawsuits are] getting easier to overcome barriers to standing,” he said. “This is really trying to hit companies where it hurts, which is their reputation with their customers.”

In addition, “ramping up emotional distress in the victims is going to add to the request from the plaintiffs for redress,” Hamilton added.

Langston said that these new tactics “are a maturation of the hacker economy. This is a relatively mature business model. Now, they’re looking for ways to innovate, and they are looking for more scalable ways to do it. And they will continue to evolve this in a business model sense because there’s a lot of money supporting this. And it will move forward like any other industry.”

Consequently, Langston said, health care entities and other organizations exposed to this type of hacking will need to become more knowledgeable about these tactics.

Hamilton noted that there’s “a glut of health records” available on the dark web. “I do think that, in that mature criminal enterprise ecosystem, there is downward pricing pressure on these records. And they’re looking for new ways to generate revenue on this,” he said.

Plan Ahead for Communications

These incidents will pressure breached organizations “to communicate more candidly and faster,” Borgia said, adding that this is already occurring.

“Not long ago—before ransomware was just everywhere all the time, companies would get hit—and they would say, ‘Well, um, we’ve had an outage,’” Borgia explained. “And they would say that for weeks, and then they’d say, ‘Okay, it was ransomware.’ But now we’re seeing companies either come out immediately and say it was ransomware,” or possibly delay providing the full story but only for a couple of days, he said. “I think you’re going to have to get into that full story much sooner than you might otherwise.”

Borgia argued that patients are becoming used to hearing about ransomware attacks and data breaches, so “this is not as exotic as it used to be. So, it makes sense that companies have shifted to faster, more transparent communications. And I think you’re going to have to do that.”

Of course, determining whose data was involved in the breach takes time, Borgia said. Therefore, organizations may address breaches proactively with press releases and emails to get the word out prior to official, legal breach notification letters, he said.

Still, describing the types of potential situations that may arise can pose some challenges for the breached health care entity, which will need to communicate with patients whose information was compromised, Borgia said.

“The letters you’re going to write are probably geared towards your breach notification obligations under state law or a federal law if that applies to you,” Borgia said. He said the entity might consider addressing this situation in a frequently asked question about the breach: “What do you do if you’re contacted?”

Unfortunately, it’s difficult to say if that’s the correct approach, Borgia added. “It’s hard for you to really say what you should do [if contacted], right? I mean, I think the easy answer is, ‘Don’t pay these people. That’s a stupid thing to do.’ But it’s hard to say that. Circumstances vary. And if someone says, ‘Okay, you told me not to pay, I’m not going to pay,’ and then their medical records get leaked,” whichsets up a lawsuit because the person was told not to pay, he said.

“So, probably, there’s not a whole lot you’re going to be able to do other than, for example, say, ‘We’re aware of this, it’s the bad actors, here’s some resources, contact the FBI, contact police,” Borgia said. “You may want to encourage them to contact you or report it to you or report it to the FBI because you do want to get information about this, as does law enforcement.”

Still, he noted, “it’s hard to advise them, unfortunately.”

First Determine What Happened

Communications plans are vital in addressing public and patient concerns about ransomware and breaches; however, Langston pointed out that organizations can’t implement a communication plan unless they’ve first investigated and understand what happened. “Being transparent is absolutely a goal,” he said. “Everybody should strive to do it quickly. But you have to say things that you know are true when you publish them.”

Providing the public with incomplete facts could worsen matters if the breach affects many more patients than initially thought, Langston said. “I believe you’ve got to be able to have the forensic capabilities to effectively determine what happened, who was involved and then be able to rapidly, transparently communicate,” he said.

If the breached entity has a cyber insurance company, that should be the first call, Langston said. “They will likely guide you through this process,” he said. “They may provide a breach coach and even a negotiation team and a communications team to assist you in that process.”

If the breached entity does not have cyber insurance, then “you need somebody to do your investigation internally,” Langston said. “You need people to help you recover. And then you need to put together an executive view of what happened so that you can then communicate that, doing that on the fly.” Companies should prepare for these possibilities, he added.

Communications plans contained within an organization’s incident response plan will need to change to reflect these new tactics, Hamilton said. Once an organization knows it has experienced an event, those communications plans may need to inform patients and the public about the possibility that they will be contacted directly by the hackers.

In addition, organizations should address the new risks of ransomware in their tabletop exercises so that they know how they will want to respond if it happens to them, Milstein said.

1 Michael Borgia et al., “Urgent Panel: Ransomware Criminals Targeting Patients and Parents in Upward Trend,” Critical Insight, webinar, 59:43, January 18, 2024, https://bit.ly/3VSWdZ6.

2 Jane Anderson, “Privacy Briefs,” Report on Patient Privacy 24, no. 1 (January 2024), https://bit.ly/4aqYn6y.

3 Elise Takahama, “Fred Hutch patients receiving email threats following cyberattack,” The Seattle Times, December 8, 2023, https://bit.ly/3JcEa8q.

4 Jane Anderson, “Privacy Briefs,” Report on Patient Privacy 23, no. 4 (April 2023), https://bit.ly/3PX9RGO.

5 Jane Anderson, “Privacy Briefs,” Report on Patient Privacy 23, no. 12 (December 2023), https://bit.ly/3JaByYJ.

[View source.]