CarePartners Will Now be Made to Pay. Somehow…

CarePartners didn’t seem to care about a hacking group who stole their patients’ sensitive records in exchange for a ransom payment, but now a certain cybercriminal has decided to put the breached record up for sale on the underground market.

Two months ago, CarePartners, an Ontario-based home care service provider publicly disclosed that it had suffered a data breach where patient’s information was “inappropriately accessed”. There hadn’t been much information about the breach since their official breach statement but a threat actor has now taken steps to monetize the harvested data by offering it for sale on the Darkweb.

According to information obtained by Digiss LLC, over 200 Gigabytes of data is up for sale. This includes medical records of over 80,000 patients for the last 8 years, personally identifiable information, medical supply order forms, discharge medical files, clients’ cardholder data (containing expiry dates and CVV) and so forth.

The “whole package”, as can be seen in the screenshots below, is being offered to interested buyers at 2.5 Bitcoins (about $16,500) by a cybercriminal who goes by the handle: SkySore. We were unable to determine whether this individual belongs to the group that originally compromised CarePartners network or not.

Much like in the case of other cyber attacks, the criminals gained the keys to the kingdom through successful exploitation of an age-old vulnerability. Unlike in the case of Sony and Hacking Team attacks where the attackers were simply motivated to embarrass their victims, this particular group hacked for profit but when the victim refused to pay, they decided to take their business elsewhere.

It is worth noting that this was not a Ransomware attack where the victim could have simply restored from backed up data and moved on. It is what I call Datanapping – the attacker steals the data and threatens to sell it to the highest bidder if the victim organization fails to pay the demanded ransom.

Best practice is to NEVER PAY even though you will still be made to pay by suffering one or all of the following negative outcomes: reputation damage, depressed stock price, negative media attention, litigations or regulatory fines among others. There’s no guarantee that any organization breached and blackmailed in this manner would not suffer any of the aforementioned outcomes even if they paid the demanded ransom. I don’t think cybercriminals do Integrity so double dipping should come naturally to them.

Apparently aware that this breach could cost CarePartners up to $500,000 in regulatory fine if this was found to be a case of dereliction of duty (of care and diligence), the attackers claimed that the breach was “completely avoidable. According to them, a fix for the exploited vulnerability became available 2 years ago while none of the data lifted was encrypted at rest.

CarePartners, on its part, stated that it “takes safeguarding of personal health and financial information seriously”. Going by the attackers’ claim and evidence though, it would appear that it (CarePartners) failed to fulfill certain cyber hygiene practices. The Computer Emergency Response Team (CERT) division at Carnegie Mellon Software Engineering Institute came up with a baseline set of 11 cyber hygiene practices to help organizations defend themselves against common cyber attacks. Going by the hackers account, it is easy to see which of the baseline practices in the above image CarePartners failed to fulfill.

In 1789, Benjamin Franklin wrote that “in this world nothing can be said to be certain except death and taxes”. Well, cyber attack joined that list few years ago. That notwithstanding, if your organization is ever going to get breached, be sure to limit the impact by adhering religiously to basic cyber hygiene practices. According to a very credible study conducted by the Ponemon Institute in 2016, most (60%) cyber attackers move on to softer targets after about 40 hours of unsuccessful repeated attempts to breach an organization’s cyber defense.

This incident, like others before and after it, is a stark reminder of what could happen when stakeholders within an organization fail to pull their weights appropriately. Cyber security is everyone’s responsibility therefore when everyone pulls in the same direction, defeating the adversary becomes much easier.

Leave Comment

Your email address will not be published. Required fields are marked *