Hive ransomware group claims Partnership HealthPlan of California data breach

The group, known for attacks on healthcare organizations, claims to have stolen 850,000 personally identifiable information records from Partnership HealthPlan of California.

ransomware healthcare breach hacker
Getty Images

The Hive ransomware group has claimed to have stolen 850,000 personally identifiable information (PII) records from the Partnership HealthPlan of California (PHC). The data includes names, Social Security numbers, and addresses along with 400 GB of stolen files from the healthcare organization’s server, according to a post on Hive’s dark web site. The PHC has confirmed “anomalous activity on certain computer systems within its network.”

Partnership HealthPlan of California confirms “anomalous activity” on systems

The PHC’s website currently (March 31) shows a holding page with a message stating that it recently became aware of anomalous activity on certain computer systems within its network. The company’s statement reads:

“We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation. Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines. We appreciate your patience and understanding and apologize for any inconvenience.”

At the time of writing, the PHC was unable to receive or process treatment authorization requests.

Hive ransomware group synonymous with healthcare attacks

Hive has been active since at least June 2021 and is synonymous with attacking healthcare organizations and other businesses ill-equipped to defend against cyberattacks. An FBI warning from August 2021 stated that the group likely operates as an affiliate-based ransomware operation and employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation.

“Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the FBI said. After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network, the FBI added. “The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks.”

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.