Cybercriminals post health system employee information online

The same hacker group took a similar tactic in February, posting tens of thousands of stolen patient records to the dark web in an apparent extortion attempt.
By Kat Jercich
03:14 PM
Hands with text scrolling in front

A hacker group known for ransomware attacks posted sensitive employee files online following a cyberattack at a Gallup, New Mexico, health system.  

According to NBC News, the group stole sensitive employee files from Rehoboth McKinley Christian Health Care Services and posted them to its website, seemingly in an attempt to extort payment.  

The files reportedly included job applications and background check authorizations that included Social Security numbers.


Caleb Barlow, CEO of CynergisTek, told Healthcare IT News Executive Editor Mike Miliard that the action of posting stolen information online is a fairly new tactic for bad actors.  

"This is commonly referred to as 'double extortion,'" said Barlow, describing the action of posting information after a ransom has not been paid.  

While NBC did not confirm whether Rehoboth paid the ransom, the information was removed from the hacker group's website.

"Recovery from a ransomware attack often requires negotiation with the ransomware actors,” Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future, said to NBC.   

"Usually, when files appear on an extortion site and then disappear, it means a payment was made," Liska added.  

Although most experts say paying hackers is not the right strategy for dealing with ransomware, Barlow said the tactic of posting potentially sensitive data represents a ramping-up strategy.

Barlow said the messaging has become: "You need to pay me. If you're not going to pay the ransom, I'm going to extort you."  

He also warned of worsening trends, such as bad actors changing stolen data once they have access – thereby giving rise to an array of potential patient safety issues – and demanding payment to reinstate it.  

"If I change the data, now I break trust in the entire system," said Barlow. "Again, increasing the likelihood that you're gonna have to pay that ransom in order to either get your data back, or, even worse, know your data, is integral."


According to NBC, the same hacker group that posted the employee information took a similar tactic in February, posting tens of thousands of stolen records to the dark web in an apparent extortion attempt.  

The files reportedly comprised scanned diagnostic results and letters to insurers, background checks on hospital employees, and an Excel document with more than 100 patient names, dates, details of colonoscopy procedures and notations about whether the patient has a "normal colon," among other personal health information.  

And while 2020 was a banner year for ransomware, experts have warned that security challenges are likely to continue: The COVID-19 vaccine, plus the continued reliance on telehealth (and telework), present juicy targets for bad actors.   


"No matter how much you're spending on defense, it's a whole lot cheaper than paying for the expense after the boom," said Barlow.


Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

More regional news

John Fowler deputy information security officer Henry Ford Health System

John Fowler, deputy information security officer at Henry Ford Health System 
(Credit: Henry Ford Health System)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.