Hive ransomware group claims to steal California health plan patient data

The Hive ransomware group, regarded for attacking health care companies, posted on its dim web internet site that it has stolen 850,000 individually identifiable details (PII) records from the Partnership HealthPlan of California.

The organization’s web-site at present is made up of a landing web page that suggests the health and fitness prepare has been “experiencing complex challenges,” like a “disruption to specified pc units.” The organization’s telephone devices have a identical information, with a recorded concept declaring that “all of our programs are down, with no envisioned time of repair service.”

“We are performing diligently with third-occasion specialists to examine the resource of this disruption, confirm its impact on our units, and to restore entire features to our units as soon as doable,” the overall health program explained in the information on its web site, which is not dated.

The Partnership HealthPlan of California suggests it has set up Gmail addresses for individuals and providers to make contact with. VentureBeat has emailed the handle for standard inquiries.

Brett Callow, a threat analyst at cybersecurity company Emsisoft, mentioned in a information to VentureBeat that “establishing option communication channels is a normal participate in in incident reaction.”

“Even if your electronic mail method is operating, the attackers could have access and be capable to check communications,” Callow stated.

The specialized challenges surface to have begun many days back. The Press Democrat reported on the problems on March 24, without having point out of a cyberattack, and indicated that the wellness prepare has additional than 618,000 associates in Northern California.

The Hive ransomware group posted its assert about the stolen Partnership HealthPlan of California information on Tuesday. The knowledge includes 850,000 exclusive PII records, this sort of as identify, social safety variety and handle, in accordance to the group. The stolen facts also incorporates 400 GB of stolen files from the organization’s server, Hive claimed.

Update, March 30: The Partnership HealthPlan of California web-site, considered as of March 30 at 4:30 p.m. PST, experienced been updated to say that the firm “recently became conscious of anomalous activity on particular computer system devices in just its network”:

We are operating diligently with third-get together forensic specialists to investigate this disruption, properly restore entire features to impacted systems, and decide irrespective of whether any info may well have been likely obtainable as a outcome of the condition. Need to our investigation determine that any details was probably available, we will notify afflicted parties in accordance to regulatory pointers.

“HiveLeaks”

The Hive ransomware group has been active due to the fact at least June 2021, which is the initially time the group posted on its “HiveLeaks” darkish website web site.

Past claimed ransomware assaults by Hive have bundled an August 2021 attack from Memorial Wellness Program, which has hospitals in Ohio and West Virginia, and an Oct 2021 attack from Johnson Memorial Wellbeing in Indiana.

A past notify from the FBI warned that the Hive ransomware team “likely operates as an affiliate-based ransomware, employs a large variety of techniques, strategies, and processes (TTPs), producing important problems for protection and mitigation.”

“Hive ransomware employs various mechanisms to compromise business enterprise networks, including phishing e-mails with malicious attachments to acquire access and Remote Desktop Protocol (RDP) to go laterally when on the network,” the FBI claimed. “After compromising a sufferer network, Hive ransomware actors exfiltrate information and encrypt data files on the network. The actors depart a ransom observe in every impacted listing within just a victim’s procedure, which provides guidance on how to obtain the decryption application. The ransom be aware also threatens to leak exfiltrated victim details on the Tor website, ‘HiveLeaks.’”