Reventics Logo for Cerner Apps
(Image source: Reventics, 2021)
One-sentence summary:
Reventics, LLC, an Omega Healthcare subsidiary, was allegedly attacked by the Royal ransomware group in 2022, resulting in the potential breach of over 250,000+ patient records.
Who was involved?
Allegedly the Royal ransomware group, Reventics, and 250,000+ patients.
What was the timeline?
December 15, 2022: Breach starts and Reventics detects the breach. Breach allegedly ends the same day.
December 27, 2022: Third-party incident response team confirms the details of the breach (Reventics, n.d., para. 2).
February 10, 2023: Reventics reports the breach to HHS (HHS, 2023).
February 13, 2023: Royal ransomware group allegedly leaks 16GB of the breached data on the dark web (Ransomware Posts, 2023).
What occurred?
In December 2022, Reventics was allegedly hacked by the Royal ransomware group (Reventics, n.d., para. 2; Eurepoc, 2023; ThreatMon Ransomware Monitoring, 2023). The breach quickly ends after Reventics brings in an “international cybersecurity and forensic consulting firm,” who helped “quickly contain” the incident and “continue operations uninterrupted” (Attorney General of Montana, 2023; Reventics, 2023, p. 1; Reventics, n.d., para. 3). The Royal ransomware group appears to claim responsibility for the breach on the dark web and has posted 16GB of (partial) data there (ThreatMon Ransomware Monitoring, 2023; HackNotice, 2023; Ransomware Posts, 2023). Breached data included both PHI and PII, including: “first and last name, data of birth, social security number, financial information, healthcare provider’s name and address, health plan name, clinical data” and billing codes (Reventics, n.d., para. 2).
Estimated costs:
Outside incident response costs plus notification costs. 12 hour M-F call center (Reventics, n.d., para. 4). Identity management services: “12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services” (Reventics, 2023, p. 1).
Involved laws:
Federal: HIPAA and HITECH
State: Mont. Code Ann. § 30-14-1704
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Commentary:
Reventics refers to the threat actor as a “cyber-intruder who encrypted and potentially accessed sensitive information” (Reventics, 2023, p. 1). However, as a cybersecurity professional, it is obvious that a threat actor is only going to encrypt as a significant event in a breach in order to ransom the victims (other than to transport/exfiltrate the files through an encrypted channel or protocol such as TLS). Thus, this came off as omitting something larger and warranted deeper investigation, which did confirm a ransomware group was allegedly claiming responsibility for the event.
Sources:
Attorney General of Montana. (2023, February 10). REPORTED DATA BREACH INCIDENTS. Montana Department of Justice. Retrieved March 1, 2023, from https://dojmt.gov/consumer/databreach/
Eurepoc. (2023, February 20). Potential criminal actor gained access to the network of healthcare provider Reventics and stole patient information in December 2022 | EuRepoC: European Repository on Cyber Incidents. European Respository of Cyber Incidents. Retrieved March 1, 2023, from https://eurepoc.eu/incident/potential-criminal-actor-gained-access-to-the-network-of-healthcare-provider-reventics-and-stole-patient-information-in-december-2022-1
HackNotice. (2023, February 12). HackNotice: Reventics Hack. hacknotice.com. Retrieved March 1, 2023, from https://app.hacknotice.com/
HHS. (2023, February 10). U.S. Department of Health & Human Services – Office for Civil Rights. Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. Retrieved March 1, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Ransomware Posts. (2023, February 13). github.io. Retrieved March 1, 2023, from https://privtools.github.io/ransomposts/
Reventics. (n.d.). notice-of-data-security-incident.png. Reventics.com. https://reventics.com/images/email-images/notice-of-data-security-incident.png
Reventics. (2021, February). reventics-logo-for-cerner-apps-v2.jpg. cerner.com. https://code.cerner.com/-/media/code-media-folder/apps/reventics/feb2021/reventics-logo-for-cerner-apps-v2.jpg?vs=5
Reventics. (2023). Notice of Data Security Incident. In REPORTED DATA BREACH INCIDENTS. Montana Department of Justice. Retrieved March 1, 2023, from https://dojmt.gov/wp-content/uploads/Consumer-notification-letter-62.pdf
ThreatMon Ransomware Monitoring. (2023, February 13). ThreatMon Ransomware Monitoring on. Twitter. Retrieved March 1, 2023, from https://twitter.com/TMRansomMonitor/status/1625205879980101663
