Empress EMS which provides emergency and non-emergency medical transportation in New York State was hit by a ransomware attack. According to a notice published by the healthcare provider, the incident was identified on July 14 wherein several systems on its network were encrypted. This hampered accessing the data on those systems.
Details of the Ransomware Attack
Hackers attacked the system of Empress EMS on May 26, 2022, and exfiltrated several pieces of content in July, 13. Over 318,558 patient data were breached. Empress EMS published a notice of security incident stating that the breached information included Social Security numbers, patient names, dates of service, and insurance information.
Attack linked to Hive Ransomware Gang
The incident has been linked to the Hive ransomware team. DataBreaches.net which provides information about cyber-attacks published details of communication between Hive and the Empress EMS on its website. It read,
“! ! ! DO NOT TRY TO DECRYPT OR CHANGE ENCRYPTED FILES ON YOUR COMPUTERS, IT WILL COMPLETELY DESTROY THEM ! ! !
Ladies and gentlemen! Attention, please!
This is HIVE ransomware team.
We infiltrated your network and stayed there for 12 days (it was enough to study all your documentation and gain access to your files and services),
encrypted your servers.
Downloaded most important information with a total size over 280 GB
Few details about information we have downloaded:
– contracts, nda and other agreements documents
– company private info (budgets, plans, investments, company bank statements, etc.)
– employees info (SSN numbers, emails, addresses, passports, phone numbers, payments, working hours, etc.)
– customers info (SSN numbers, emails, addresses, passports, phone numbers, payments, working hours, etc.)
– SQL databases with reports, business data, customers data, etc.
– approximate number of personal records including addresses and ssn’s data is above 10000 units.”
Healthcare is a critical sector, and such ransomware news attacks pose a danger to the lives of people. RedPacket Security which provides infosec news made a disclosure titled ‘HIVE Ransomware Victim: Empress EMS’ on its blog on July 28, 2022. It read “Empress EMS with the company website ‘empressems[.]com’ was cyber-attacked on 14 July 2022 – 09:24:00” wherein its data was encrypted. The date when it was disclosed was mentioned to be 7/26/2022 followed by information stating that the files were made available to be downloaded.
The encrypted files were made available on the dark web in July which posed a risk to the privacy of the users. RedPacket Security reported on its blog that the information was redacted from the HIVE Onion dark web tor blog page.
Empress EMS Acts Fast
To prevent further damage, Empress EMS reported the incident to law enforcement and also had a third-party forensic firm conduct a thorough investigation. Affected users are being alerted about the data breach and ransomware attack by mail. The company urged impacted individuals and otherwise to review their healthcare statements for any inaccuracies in terms of services they received. The same can be reported to its provider.
They can use the credit monitoring services offered to check their credit in the wake of the incident. Users may contact the dedicated external call center as well for any queries at 844-690-1251, Monday through Friday between 9.00 a.m. to 9.00 p.m.
American consumer rights law office Cole & Van Note has also taken up the case for further investigation and to help provide compensation to its clients for any losses.
