Gwinnett Medical Center investigating possible data breach

After being contacted by Salted Hash about a possible data breach, Gwinnett Medical Center(GMC), a not-for-profit network of healthcare providers in Gwinnett County, Georgia, has confirmed they’re investigating what they’re calling an IT incident.

Salted Hash first became aware of a possible data breach at GMC late last week, but the exact details surrounding the incident were not immediately available.

What we learned was that on Saturday (Sept. 29), IT staff at GMC Lawrenceville became aware of an incident involving several hundred patient records at the least. Immediately following the discovery, the alleged attackers sent threats.

Sometime later, an agent from the local FBI field office arrived and offered to assist, but it isn’t clear if the FBI knew something was wrong, or if the law enforcement agency was called in after the threats were made.

The chaotic weekend pushed forward, until early Tuesday morning, when alleged GMC patient data started to appear online. The posted patient details included full name, date of birth, the alleged patient’s sex, and claims the healthcare provider was attempting to coverup the incident.

When reached for comment, Beth Hardy, a spokesperson for GMC, said there was no data breach, and instead stated the not-for-profit was investigating an IT incident that became apparent last week.

In a prepared statement, GMC said day to day operations haven’t been impacted by this incident, and that external partners have been called in to assist. One of those partners is PricewaterhouseCoopers (PwC).

When pressed for details, Salted Hash was told the investigation is ongoing, and GMC is still “trying to determine the specifics of this case.”

“GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data.  That starts with identifying threats and conducting audits and it includes the processes, procedures and safeguards that we have in place to protect our systems,” the healthcare provider’s statement concluded.

Calls seeking comment from the FBI field office in Atlanta were not answered.

This is an ongoing, developing story. Salted Hash will be updating this article as new information becomes available.

Update:

Shortly after this article was published, a source familiar with attacks in the medical space contacted Salted Hash with some interesting observations, considering that attempts were made online to shame GMC for the incident.

This all could be the work of Particle Matrix, given the threat actor’s nature of taunting and extortion demands against victims. Originally, the group started off using open RDP and other means to deliver homegrown ransomware payloads to medical victims, but they abandoned those efforts last year. These days, the group mostly sticks to extortion. Online, the attackers claimed they reached out to GMC’s Chief Financial Officer, Tommy McBride, but he “rejected our help.”

Another odd aspect to the taunting messages online are the affiliate links. The person(s) posting messages containing alleged GMC patient data are promoting a Lifelock affiliate link and encouraging GMC patients to register for identity theft protection.

Until more information is released however, it’s impossible to determine what group – if any – are responsible for the incident at GMC.

Update 2:

On Wednesday, the Atlanta Journal-Constitution reported that the FBI was investigating the hacking incident at Gwinnett Medical Center, quoting a spokesperson with the FBI as confirming they were “aware of the breach” and working with appropriate entities.

In an email seen by Salted Hash, the FBI confirmed their investigation, and noted that because it was an “ongoing investigation, we have no further comment.”

However, late Wednesday afternoon, the person(s) responsible for the Twitter account sharing alleged compromised patient data from GMC released more information.

In a post referencing an article on Databreaches.net, the hackers shared video captures from an AXIS IP camera, including an image of a patient in their bed. The date these images were taken is unknown.

The account also contacted Salted Hash and shared additional details including information taken from an Opti Medical blood and gas analyzer.

“[The] patient ID in the [Opti Medical] database is most helpful,” the alleged attacker(s) stated, adding that the IDs were like a Rosetta Stone for patient records. As proof, they shared a sample record with Salted Hash so that we could confirm it with GMC.

When we attempted to contact GMC for comment related to this new information, calls were not answered and went directly to voicemail.

But the most damning comment from the person(s) behind the Twitter account centered on the current breach investigation. The person(s) speaking took issue with comments made by Beth Hardy, a spokesperson for GMC, and accused the hospital of lying to the public.

In their own words, without edits or modifications, this is what they had to say:

“…ask beth how their sscom wireless handsets are working. Does GMC have control of this system. the answer is no. the last time we checked we own their ascom system and their data. tell beth the allworx phones kept us one step ahead of them. we know everything that happens…”

The fact the attackers may will still be in the system and watching what the incident response teams are up to is alarming. But Salted Hash has no way to conclusively prove this, as we’re not privy to the GMC network.

Another problematic fact is that the attackers were able to access a medical device, and it is unknown what if any data was altered on it. While this reporter freely admits he doesn’t fully understand how a blood and gas analyzer works, I’m positive that altering results or records could be quite serious if the changes were missed somehow.

When asked about how they got in to the systems, the person(s) on Twitter said that the default password was used “on most things, that was the first mistake.”

The person(s) speaking on Twitter said the data shared was new, but dates were redacted from the screenshots posted, including a phone log form the AllWorx system, a Unite Connectivity Manager configuration menu.