Data breaches tend to be mysterious affairs where organisations on the receiving end say as little as possible and the attackers remain safely in the shadows.
The breach of medical records at Canadian company CarePartners, which provides healthcare services on behalf of the Ontario Government, looks as if it is turning into an unwelcome exception to this rule.
CarePartners made the breach public in June, saying only that patient and employee health and financial data had been “inappropriately accessed by the perpetrators” without specifying the size or extent of the breach.
And so it would have remained had the attackers not decided to contact the Canadian Broadcasting Corporation (CBC) this week with more detail of their exploits. They also revealed the not insignificant nugget that they have demanded that CarePartners pay a ransom for them not to release the stolen data:
We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online.
To underscore the threat, the attackers sent CBC a sample data set which included thousands of medical records containing dates of birth, health numbers, phone numbers and details of past surgical procedures and medications.
Other files contained 140 patient credit card numbers complete with expiry dates and security codes, plus employee tax slips, social security numbers, bank account details and plaintext passwords.
The cache ran to thousands of records, said CBC, but the attackers claimed that hundreds of thousands of records were involved.
What’s concerning are discrepancies between CarePartners’ assessment of the breach and the new information the hackers have sent to CBC.
According to CBC, CarePartners said its forensic investigation had identified 627 patient files and 886 employee records that were part of the breach, with all affected individuals informed of the compromise.
And yet the sample sent by the hackers contained the names and contact information for more than 80,000 people.
When CBC’s journalists contacted a small sample of these individuals, none said they had been contacted by CarePartners.
According to the attackers, they gained access to the data after they discovered vulnerable software that hadn’t been updated in two years, adding:
This data breach affects hundreds of thousands of Canadians and was completely avoidable. None of the data we have was encrypted.
Beyond the fact that a serious breach has occurred, none of these details can be confirmed of course.
Publicising a ransom demand to a public body is probably a sign of desperation by the attackers that goes against the extortion playbook.
The first rule of extortion is to keep it a secret on the basis that publicity can make it harder for organisations to pay up, and may even force them to report the matter to the police.
The fact that the hackers have broken this rule is not good news. If they’ve given up any hope of being paid, that makes it more likely that the data will be posted to a public server where it will join the ocean of other personal healthcare data that lives in the darker recesses of the internet.
As with every data breach, today’s headlines are only the beginning of a story that stretches many years into the future, its consequences hard to predict.