Hacking group claims responsibility for ransomware attack on Northern California health care network
A ransomware group called Hive is claiming to have stolen private data for 850,000 members of Partnership HealthPlan of California, a nonprofit that manages health care for Medi-Cal patients in 14 counties.
On March 21, the health plan notified a local community health center that its computer systems were down. Last week, Partnership, which serves more than 618,000 Medi-Cal members in 14 Northern California counties, posted on its website a single page saying it is experiencing “technical difficulties, resulting in a disruption to certain computer systems.”
Brett Callow, a threat analyst at New Zealand-based cybersecurity firm Emsisoft, alerted The Press Democrat that a ransomware group called Hive is claiming a cyber attack on Partnership. Callow said Hive posted on its website on the dark web that it had stolen Partnership’s data.
A screenshot of the claim describes the “stolen data includes...850,000 unique records of name, SSN, date of birth, address, contact, etc.” It also states that 400 gigabytes of data were stolen from Partnership’s file server.
The claim has since been removed.
“We are aware of the claims. As our investigation is ongoing, we are unable to provide additional information at this time,” Partnership spokesman Dustin Lyda said in an email Wednesday.
The Federal Bureau of Investigations’ press office in Washington, D.C., could not immediately be reached for comment Wednesday morning. The California Department of Managed Health Care also could not immediately be reached for comment.
Last year, the FBI issued a “Flash” alert about Hive. The Aug. 25, 2021 alert was aimed at warning cyber security professionals and system administrators about Hive ransomware’s activities. The alert states that Hive was first observed in June 2021 and “operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.”
“Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the FBI alert said.
“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software.The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks,’ according to the FBI alert.
Partnership serves Medi-Cal members in Sonoma, Del Norte, Humboldt, Lake, Lassen, Marin, Mendocino, Modoc, Napa, Shasta, Siskiyou, Solano, Trinity, and Yolo counties. Medi-Cal is California’s version of the Medi-Caid program.
There are about 100,000 Sonoma County residents who receive Medi-Cal health coverage through the health plan. These residents receive medical services at several local community health centers, as well as Kaiser Permanente.
The plan handles Medi-Cal services for 24,000 patients at Santa Rosa Community Health, the county’s largest consortium of clinics. The health center was informed about Partnership’s technical problems last week.
“We are aware of the Partnership outage, but don't have any information about its source,” said Naomi Fuchs, CEO of Santa Rosa Community Health. “The outage has not caused any disruption in services to Medi-Cal patients and all services at Santa Rosa Community Health continue to be available."
According to Emsisoft’s cybersecurity blog, ransomware attacks are an increasing threat in the public sector.
Last year, there were attacks against 77 state and municipal governments; 1,043 schools; and 1,203 health care providers.
Those attacks resulted in at least 118 data breaches.
You can reach Staff Writer Martin Espinoza at 707-521-5213 or firstname.lastname@example.org. On Twitter @pressreno.