Maze Ransomware Hackers Post Patient Data Stolen from 2 Providers

Computer programming code. Online safety, hacking and digital firewall background 3D illustration

May 06, 2020 – The notorious Maze ransomware hacking group has failed to follow through with their assurance the healthcare sector would be off-limits during the COVID-19 pandemic, by publishing data stolen from two separate plastic surgeons for sale on the dark web this week.

Maze claims to have attacked the first victim, Kristen Tarbet, MD in Bellevue, Washington, with ransomware on May 1. As proof of their successful attack, the attackers published a number of large files containing protected health information.

One spreadsheet contains about 39,000 entries of patient appointments, others contained full names, appointment lengths, types, and purposes, provider comments, and dates of birth. Other posted files contained a host of patient contact information and Social Security numbers, as well as medical information including patient histories, diagnostic codes, allergies, and a host of other sensitive data.

Another file contained passwords for the plastic surgeon’s wireless merchant account and QuickBooks, as well as other corporate-related information.

Maze hackers also claim to have attacked Nashville Plastic Surgery Institute, doing business as Maxwell Aesthetics on May 1.

The data dump provided as proof of its attack contains a host of patient PHI, including names, surgery type diagnostic data, dates of birth, and some health insurance information. The filenames are also crafted in a way that expose sensitive data, as it includes full names, surgery types, name of the insurance provider, and the dates.

The threat actors also posted complete details of patient histories, as well as medical needs for planned patient surgeries.

Maze ransomware has been incredibly problematic for the healthcare sector, beginning in November and especially during the Coronavirus pandemic. Other treat actors have also tagged onto the double extortion trend, first stealing data from the victim before launching the ransomware payload in an effort to force the victim to pay the ransom demand.

The hackers will first warn the provider, then pressure the victim by posting data dumps as proof that publicly reveal the provider has been compromised. Last week, Microsoft warned human-operated ransomware attacks have continued to plague the healthcare sector amid the public health emergency.

And the FBI has repeatedly warned that double-extortion ransomware attempts have spiked in recent months. In the last month, the World Health Organization and multiple COVID-19 research firms have been targeted with extortion attempts.

Healthcare providers should review ransomware insights from Microsoft and the Office for Civil Rights to bolster their defenses.