After being contacted by Salted Hash about a possible data breach, Gwinnett Medical Center(GMC), a not-for-profit network of healthcare providers in Gwinnett County, Georgia, has confirmed they’re investigating what they’re calling an IT incident.
Salted Hash first became aware of a possible data breach at GMC late last week, but the exact details surrounding the incident were not immediately available.
What we learned was that on Saturday (Sept. 29), IT staff at GMC Lawrenceville became aware of an incident involving several hundred patient records at the least. Immediately following the discovery, the alleged attackers sent threats.
Sometime later, an agent from the local FBI field office arrived and offered to assist, but it isn’t clear if the FBI knew something was wrong, or if the law enforcement agency was called in after the threats were made.
The chaotic weekend pushed forward, until early Tuesday morning, when alleged GMC patient data started to appear online. The posted patient details included full name, date of birth, the alleged patient’s sex, and claims the healthcare provider was attempting to coverup the incident.
When reached for comment, Beth Hardy, a spokesperson for GMC, said there was no data breach, and instead stated the not-for-profit was investigating an IT incident that became apparent last week.
In a prepared statement, GMC said day to day operations haven’t been impacted by this incident, and that external partners have been called in to assist. One of those partners is PricewaterhouseCoopers (PwC).
When pressed for details, Salted Hash was told the investigation is ongoing, and GMC is still “trying to determine the specifics of this case.”
“GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data. That starts with identifying threats and conducting audits and it includes the processes, procedures and safeguards that we have in place to protect our systems,” the healthcare provider’s statement concluded.
Calls seeking comment from the FBI field office in Atlanta were not answered.
This is an ongoing, developing story. Salted Hash will be updating this article as new information becomes available.
Shortly after this article was published, a source familiar with attacks in the medical space contacted Salted Hash with some interesting observations, considering that attempts were made online to shame GMC for the incident.
This all could be the work of Particle Matrix, given the threat actor’s nature of taunting and extortion demands against victims. Originally, the group started off using open RDP and other means to deliver homegrown ransomware payloads to medical victims, but they abandoned those efforts last year. These days, the group mostly sticks to extortion. Online, the attackers claimed they reached out to GMC’s Chief Financial Officer, Tommy McBride, but he “rejected our help.”
Another odd aspect to the taunting messages online are the affiliate links. The person(s) posting messages containing alleged GMC patient data are promoting a Lifelock affiliate link and encouraging GMC patients to register for identity theft protection.
Until more information is released however, it’s impossible to determine what group – if any – are responsible for the incident at GMC.