On July 15, 2024, the cybercriminal group Everest Team added Gramercy Surgery Center, a multispecialty healthcare center in Manhattan and Queens, New York, to their leak site, claiming to have stolen over 460 GB of sensitive files. On August 8, 2024, they leaked the entire data set online, including patients’ protected health information (PHI).
What happened
Gramercy Surgery Center first became aware of a potential cyber-attack on June 18, 2024. The center then moved to secure its systems and began investigating the extent of the breach. On June 28, 2024, it was confirmed that documents stored within the center’s systems had been viewed or copied between June 14 and June 17, 2024.
On July 15, 2024, the Everest Team listed Gramercy Surgery Center on their leak site, initially providing only two old files as proof of their claims. However, on August 8, 2024, the group released the entire data set online. The exposed information includes names, addresses, Social Security numbers, dates of birth, driver’s license or state identification card numbers, medical record numbers, treatment details, and health insurance information.
What was said
According to the Gramercy Surgery Center public notice, “On June 18, 2024, Gramercy Surgery Center learned that it may have been the victim of a cyber-attack. We promptly took steps to secure our systems and commenced an investigation into the nature and scope of the incident.”
The notice further confirmed, “On June 28, 2024, we determined that certain documents stored within Gramercy Surgery Center’s environment were copied from or viewed on the system as part of the incident between June 14, 2024, and June 17, 2024.”
Why it matters
Gramercy’s public notice failed to inform patients of the severity of the situation. Specifically, the notice did not mention that the data had already been leaked online or that weak password practices contributed to the breach.
Moreover, the lack of transparency prevents affected individuals from taking necessary precautions to protect themselves from potential identity theft or fraud.
The bottom line
When breaches occur, healthcare organizations must provide detailed communication to affected individuals, so they can protect themselves from further harm.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
How can covered entities protect themselves from ransomware attacks?
Covered entities must use HIPAA compliant platforms, like Paubox, which offer multi-factor authentication, access controls, and a secure cloud service to safeguard protected health information (PHI).
Additionally, regular HIPAA training can help staff avoid clicking on suspicious links or downloading files from untrusted sources, protecting the organization from ransomware attacks.
What should individuals do if their data is compromised?
If individuals suspect their data is compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Furthermore, they should use identity theft protection services and credit monitoring to track misused information.
