The RansomHouse threat group listed United Urology Group on its data leak site, together with samples of information purportedly stolen during the cyberattack. United Urology Group is a national network of urology specialists based in Maryland including Tennessee Urology, Arizona Urology Specialists in Phoenix, Scottsdale, Glendale & Mesa, Chesapeake Urology, Arizona Urology Specialists Tucson, and Colorado Urology. United Urology Group has not confirmed the occurrence of the cyberattack or data breach.
On May 23, RansomHouse threat actors announced having encrypted United Urology Group’s system on May 4 and stole approximately 300 GB of records. RansomHouse added a note to its listing addressed to the management of Urology Group. The note states that the threat group has proof of United Urology Group’s multiple HIPAA violations, and the following data:
- ~ 3200 diagnostic data files
- ~ 10,000 personal data records and files
- ~ 1600 SSNs and other personal information
- Over 10000 Radiology reports
- ~ 1.6kk+ patient data records
- Gaitherburg’s Cancer center’s information
- Different NDAs and confidentiality agreements
DataBreaches is unable to verify all of the claims. A review of parts of a data tranche presented as evidence of claims did show numerous files including protected health information (PHI). One directory even showed many radiology reports of identified patients. Other files included other PHI and PII, for example, diagnoses reports and photos of driver’s licenses.
Certain files included company internal data. DataBreaches mentioned files that included logins and passwords that seemed to be new. DataBreaches didn’t test any credentials to find out whether they still work but it mentioned that the information also included security questions and answers for an employee.
Though DataBreaches found some evidence for part of RansomHouse’s statements regarding the types of data, the “multiple HIPAA violation” allegation seems exaggerated. DataBreaches’ examination of files discovered that United Urology Group records all incident “under 500 affected” reports to HHS as part of its yearly report. DataBreaches did not find anything that seemed specifically abnormal or noteworthy. Though any breach, such as a single mismailing of patient data, is not good and is reportable, they are inevitable.
United Urology Group’s website has no notification post yet. DataBreaches sent two emails to United Urology Group executives to find out what the company was doing as a reaction to the breach and if they already deactivated all the leaked login data. UUG has no response. When questioned about negotiations between UUG and RansomHouse, RandomHouse replied that there were no talks.
