April ‘BianLian’ Attack Affected 559,000

A Tennessee medical clinic and surgical center is notifying more than half a million patients and employees that their personal information may have been stolen by cybercriminals in an April cyberattack that disrupted healthcare services for several days.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

Mursfreesboro Medical Clinic & SurgiCenter reported the hacking incident to the Department of Health and Human Services on June 21 as a HIPAA breach affecting 559,000 individuals (see: Tennessee Medical Clinic Patient Services Hampered by Attack).

The Murfreesboro-based clinic, which has 130 healthcare providers, seven locations and 900 employees, said in its breach notice that the “sophisticated” criminal cyberattack involved “a well-known cyber extortion operation.”

MMC CEO Joey Peay told Information Security Media Group in a statement that ransomware group BianLian had claimed responsibility for the attack. “MMC has not paid, nor will be paying, a ransom,” he said.

The blog Databreaches.net reported on Monday that MMC temporarily had been listed – and then removed – from BianLian’s leak site, which claimed the crime group had 250 gigabytes of the entity’s files.

“We have been working with law enforcement since day one when the attack originally happened,” Peay said. “We have taken several different steps to attempt to prevent further incidents of this nature. However, you can never be too sure with the sophisticated nation-state actors trying to pursue hacks of company data worldwide.”

BianLian is a prolific ransomware group that emerged in the summer of 2022. Initially, the group was known for executing rapid encryption attacks, according to threat intelligence firm Cyble. But after security firm Avast in January released a free decryptor for victims of the ransomware group, BianLian appears to have shifted the focus of its attack strategy to data theft extortion (see: Stung by Free Decryptor, Ransomware Group Embraces Extortion).

Breach Details

MMC in its breach notice says that on or about April 24 it identified “a series of attacks” on its network and IT systems. In response, MMC said, it immediately shut down its network and engaged third-party cybersecurity experts and law enforcement “to help identify the source and scope of the attack.”

An extensive investigation determined that a cyber extortion operation had infiltrated MMC’s network on or about April 22 with the intent to steal information for ransom, the entity said.

While MMC said it has been unable to determine whether any personal information was actually accessed or removed from its network, the information subject to compromise appears to be extensive.

Potentially stolen data includes individuals’ names, birthdates, home addresses, phone numbers, copies of driver’s licenses, full or partial Social Security numbers, dependent information, medical and diagnostic information, dates of service, test results, procedure notes, prescription information, medical record numbers, and insurance and enrollment information including group names, identification numbers and claim numbers.

MMC said it does not store credit card or bank account information in its network.

The entity is offering affected individuals 24 months of complimentary credit and identity monitoring.

‘Upward Trend’

Threat analyst Brett Callow of Emsisoft said the security firm has counted 19 attacks so far in 2023 on U.S. healthcare systems that operate hospitals, compared to 25 attacks in total for the full year 2022.

Those figures do not include attacks on other nonhospital healthcare providers, such as clinics like MMC, Callow said. “It seems there may be an upward trend,” he told ISMG.

“To determine whether counter-ransomware policies are working, we really need to start looking beyond the numbers and measuring their impact,” he said. “An attack which encrypts a single endpoint and attack which hobbles an entire multihospital healthcare system both count as a single incident, but are obviously very different in terms of impact.”

The 19 healthcare systems attacked in the U.S. so far in 2023 operate 33 hospitals. Data was stolen in 16 of those incidents, Callow said.

“Winning the war on ransomware doesn’t necessarily mean reducing the number of incidents. It can simply mean reducing the disruption the incidents cause and their impact on patient care,” he said.