Lorien Health Services in Maryland announced that it was the victim of a ransomware incident in early June. Data was stolen and then encrypted during the incident.
Responsible for the attack are Netwalker ransomware operators, who leaked the information after Lorien refused to pay the ransom demand.
Social Security numbers accessed
A family-owned nursing home for the elders, Lorien Health Services runs nine locations in Baltimore, Carroll, Harford, and Howard counties, as well as a rehabilitation and fitness facility.
The company says that the incident was detected on June 6 and contracted services of cybersecurity experts to start an investigation and determine the impact.
After four days, the verdict was that personal information had been accessed by the hackers and it “may have included residents’ names, Social Security numbers, dates of birth, addresses, and health diagnosis and treatment information.” Employee data was also accessed.
According to the breach notification sent to the Secretary of Health and Human Services, the number of impacted individuals is 47,754.
Although Lorien just announced the breach publicly, Netwalker operators made the incident known in mid-June, publishing screenshots of directory listings with 2020 date stamps and admission records as proof of compromise.
Netwalker leaks Lorien data
At the moment, some of the data has been dumped online. A password-protected archive of 147MB is currently available via a file-sharing service.
The hackers also published the unlock key for the archive and labeled this cache “Part 1,” indicating that they may leak more data in the future.
Netwalker ransomware operation started under the name Mailto in October 2019 and rebranded in February this year.
Their targets include corporate networks vulnerable to remote desktop hacks but as the Lorien incident shows, they are not picky about who they attack as long as they get paid.
As it typically happens with these attacks, the business informed the FBI and is cooperating with the service providing details that may help catch the perpetrators.
Lorien sent notification letters to “all potentially impacted residents” on June 16, two days after the hackers announced a successful attack. The letters included details about the attack and the options for protecting personal information, along with complimentary credit monitoring and identity protection services.