Hive ransomware group claims to steal California health plan patient data

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn More


The Hive ransomware group, known for attacking healthcare organizations, posted on its darkweb site that it has stolen 850,000 personally identifiable information (PII) records from the Partnership HealthPlan of California.

The organization’s website currently consists of a landing page that says the health plan has been “experiencing technical difficulties,” including a “disruption to certain computer systems.” The organization’s phone systems have a similar message, with a recorded message saying that “all of our systems are down, with no expected time of repair.”

“We are working diligently with third-party specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality to our systems as soon as possible,” the health plan said in the message on its website, which is not dated.

The Partnership HealthPlan of California says it has set up Gmail addresses for patients and providers to contact. VentureBeat has emailed the address for general inquiries.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said in a message to VentureBeat that “establishing alternative communication channels is a standard play in incident response.”

“Even if your email system is working, the attackers could have access and be able to monitor communications,” Callow said.

website
Screenshot of the website for the Partnership HealthPlan of California, taken March 29 at 4:30 p.m.

The technical issues appear to have begun several days ago. The Press Democrat reported on the issues on March 24, without mention of a cyberattack, and indicated that the health plan has more than 618,000 members in Northern California.

The Hive ransomware group posted its claim about the stolen Partnership HealthPlan of California data on Tuesday. The data includes 850,000 unique PII records, such as name, social security number and address, according to the group. The stolen data also includes 400 GB of stolen files from the organization’s server, Hive claimed.

The ransomware group has been active since at least June 2021, which is the first time the group posted on its “HiveLeaks” darkweb site.

Past reported ransomware attacks by Hive have included an August 2021 attack against Memorial Health System, which has hospitals in Ohio and West Virginia, and an October 2021 attack against Johnson Memorial Health in Indiana.

A previous alert from the FBI warned that the Hive ransomware group “likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.”

“Hive ransomware uses multiple mechanisms to compromise business networks, including phishing
emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the FBI said. “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks.’”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More

Leave a Reply