The ransomware group Interlock claimed it has 732,490 files across 20,418 folders stolen from Kettering Health, posting about it on its data leak site on the dark web, according to an image posted by the cybersecurity firm Comparitech and other tech news sites.
Kettering Health said it believes Interlock to be the group behind the May 20 cyberattack, it said in its latest update on the technology outage that resulted from the cyberattack. The hospital organization did not respond to any of the claims about the stolen data.
“We have strong confidence that our network-connected devices are secure, and our connections to our partners are fully protected,” Kettering Health said.
Last week, Kettering Health CEO Michael Gentry said a “small subset” of its data had been accessed by an unauthorized user and the hospital organization was still working on finding out what was accessed.
The stolen files allegedly include identification cards, payment data, financial documents and more, Comparitech said.
“They post it online to sell it,” said JP Castellanos, director of threat intelligence at Binary Defense, a cybersecurity company in northeast Ohio.
In addition to trying to sell the data, the perpetrators may be trying to force Kettering Health to pay money.
Castellanos also saw the post on Interlock’s data leak site on the dark web, saying the ransomware group is likely using a double extortion technique. Because Kettering Health likely didn’t give in to the ransom request, Interlock is potentially trying to get Kettering Health to pay them by exposing some of what they have online.
This technique can potentially cause reputational harm to Kettering Health given how this can be a violation of federal law that restricts the release patient health information.
TechCrunch, another tech news site, reviewed some of what was posted, saying the documents include patient information, clinical summaries and employee data.
When the cyberattack happened, sources told the Dayton Daily News that hackers appeared to be threatening to destroy data and publicly publish sensitive data on the dark web if hospital officials didn’t reach out and negotiate within 72 hours.
Hospital administrators on May 23confirmed they believed the cyberattack was a ransomware attack. They said they did not have any direct contact with the perpetrator and did not pay any ransom.
Since May 20, patients have dealt with canceled appointments, delayed medical treatments and an inability to call their care teams or access MyChart. Certain patients needing emergency medical care were diverted from Kettering Health’s emergency rooms during most of this outage, but that diversion ended last week.
On Monday, Kettering Health was able to get access back to its internal health records software, Epic, though work is still ongoing with MyChart, an online patient portal.
Kettering Health listed its other actions in its ongoing technology recovery in its latest update, including:
- Complete threat removal: The tools and persistence mechanisms used by the third-party group have been eradicated, and all affected systems have been secured, according to Kettering Health.
- Security enhancements: A review of all systems was conducted by external partners and Kettering Health’s internal team. They found necessary security protocols, including network segmentation, enhanced monitoring, and updated access controls, are in place.
- Vulnerability assessment and patching: External partners and Kettering Health’s internal team reviewed its systems. All updates and patches are in place.
For Kettering Health patients with urgent health questions, call 937-600-6879 between 8 a.m. to 5 p.m. on Monday through Friday.
After hours, Kettering Health Medical Group patients can call MatchMD at 1-866-257-5363.
For medical emergencies, patients are urged to go to the nearest emergency department.
Kettering Health has 14 area medical centers and more than 120 outpatient locations throughout Western Ohio, as well as Kettering Physician Network, which includes more than 700 board-certified providers.
About the Author
