Two not-for-profit hospitals in New York are seeking a court order to retrieve data stolen in an August ransomware attack and now stored on the servers of a Boston cloud storage company.
Carthage Area Hospital and Claxton-Hepburn Medical Center (the attack’s victims) have founded the North Star Health Alliance, a collaborative partnership focused on providing healthcare services across the northern New York area.
Together, they serve more than 220,000 residents living in Jefferson, northern Lewis, southern St. Lawrence Counties, Ogdensburg, and St. Lawrence County.
The LockBit ransomware gang claimed responsibility for breaching and stealing sensitive files from their systems in late August, with a press release published by the hospitals one week later saying the incident forced them to redirect patients requiring urging care to other hospitals’ emergency departments.
“Carthage Area Hospital and Claxton Medical Center Information Technology (IT) teams continue work to stabilize all systems following a cybersecurity incident discovered by internal security software last Thursday night,” the hospitals said.
“All patients with appointments that need to be re-scheduled will be contacted. Any patient with urgent health concern should still call their healthcare provider. Patients with emergency conditions should go to their nearest emergency department.”
While investigating the incident with the FBI’s help, the hospitals found that the data stolen by Lockbit’s affiliates (including patients’ names, addresses, dates of birth, financial information, social security numbers, health insurance, and other personally identifying and protected health information) is now stored on the servers of Wasabi Technologies, a cloud storage company in Boston, Massachusets.
Lawsuit to recover stolen PII and health data
In a bid to recover the stolen data from Wasabi’s servers, the hospitals have now taken legal action against the cybercriminals who stole the files, asking the court to order Wasabi to return the stolen data to the North Star Health Alliance hospitals and issue an order requiring the ransomware group to destroy all the copies they made.
“So the best option explored by our legal team and working with the FBI is actually going after that company to get our secluded data so that we can be sure what information was leaked,” North Star Health Alliance CEO Richard Duvall told 7News.
According to court documents, the cloud storage firm has already provided the FBI with copies of the data requested by the hospitals.
“The Hospital Group requires injunctive relief against the Defendants and other entities, preventing the access, transfer or duplication of the Stolen Data and requiring that, after the Stolen Data is returned to the Hospital Group, all other copies of the Stolen Data be destroyed,” the complaint reads.
“Upon Information and belief, Wasabi has already provided copies of the stolen data to the FBI.”
LockBit has also disrupted emergency care at three German hospitals on Christmas Eve, forcing them to divert emergency cases elsewhere, resulting in potential critical delays. Another LockBit affiliate attacked the Hospital for Sick Children (SickKids) in Toronto one week before last Christmas, causing diagnostic and treatment delays.
The LockBit ransomware-as-a-service (RaaS) operation was first spotted in September 2019, with its victim list including the Continental automotive giant, the UK Royal Mail, the City of Oakland, and the Italian Internal Revenue Service.
A joint advisory published in June by cybersecurity authorities worldwide revealed that this ransomware gang has extorted at least $91 million from U.S. organizations following at least 1,700 attacks since 2020.