Pierluigi Paganini January 07, 2023

The Hive ransomware gang just leaked 550 GB of data stolen from the Consulate Health Care, including customer and employee PII data.

Consulate Health Care is a leading provider of senior healthcare services, specializing in post-acute care. The Hive ransomware gang this week added the company to its Tor leak site, threatening to publish the stolen data.

The gang states that the attack took place on December 3rd, 2022 and the attack was disclosed on January 6, 2023.

The gang initially leaked samples of the stolen data as proof of the attack, it claimed to have stolen contracts, NDA and other agreements documents, company private info (budgets, plans, evaluations, revenue cycle, investors relations, company structure, etc.), employees info (social security numbers, emails, addresses, phone numbers, photos, insurances info, payments, etc.), and customers info (medical records, credit cards, emails, social security numbers, phone numbers, insurances, etc.).

The security breach was also confirmed by the victim in a notice published on its website.

“One of our vendors recently suffered a security incident in early December where cybercriminals targeted portions of their network. Our vendor promptly began working with third-party experts to help them investigate and respond to the incident. During that investigation, the vendor became aware that the unauthorized third party may have accessed records with personal information.” reads the Notice of Incident published by Consulate Health Care. “Although our vendor is still investigating the scope of that access, we are providing this notice out of an abundance of caution and because we value transparency.”

However the security research Dominic Alvieri first noticed that that the group leaked 550 GB of data stolen from the Consulate Health Care, including customer and employee PII data. He correctly speculates that the negotiations failed and the ransomware gang opted to leak all data without waiting for the planned deadline.

According to DataBreaches, the company had ended negotiations after several weeks because they could not afford even the reduced amount demanded because their insurance would not cover any ransom payment.

While the CHC’s notice highlights that that the root cause of the data breach is an attack against a vendor, Hive representatives told Data Breaches that they “did not attack any CHC vendor but had attacked CHC directly.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Consulate Health Care)

[adrotate banner=”5″]

[adrotate banner=”13″]