Vendor Faces Lawsuit in Wake of an Apparent ‘Royal’ Attack
Fraud Management & Cybercrime , Healthcare , Industry Specific
Software Firm’s Data Exfiltration Health Data Breach Affected Nearly 251,000 Marianne Kolbasuk McGee (HealthInfoSec) • March 9, 2023
A healthcare revenue cycle management software vendor is facing a proposed class action lawsuit in the aftermath of a December 2022 data exfiltration attack affecting nearly 251,000 patients. Ransomware group Royal has reportedly taken credit for the attack and allegedly leaked samples of the stolen data on its dark web leak site.
See Also: OnDemand | Navigating the Difficulties of Patching OT
Attorneys filed the lawsuit against Colorado-based Reventics LLC on Monday in a Colorado federal court for plaintiff Paula Henderson on behalf of herself and others similarly affected. The company reported the network server hacking incident to the U.S. Department of Health and Human Services on Feb. 10 as affecting nearly 250,918 individuals.
Cybersecurity blog DataBreaches.net reported last month that on Feb. 13, the Royal ransomware group added Reventics to its dark web site, leaking more than 16GB of files. Royal claims those files are only 10% of what the group exfiltrated, according to the report.
Royal has been the subject of several recent alerts from government authorities. Last week, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency issued a joint advisory, warning that the group is targeting organizations in major industries including healthcare, manufacturing, communications and education (see: CISA Warns That Royal Ransomware Is Picking Up Steam).
The joint alert followed at least two earlier HHS advisories.
They include an HHS alert issued in December 2022 warning that Royal attackers appeared especially interested in hitting the U.S. healthcare sector, demanding ransoms from $250,000 to over $2 million.
“In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim,” HHS said (see: Royal Ransomware Hitting Healthcare Targets and Dumping Data).
In a sample breach notification letter provided to the Montana attorney general’s office on Feb. 10, Reventics says that on Dec. 15, 2022, it detected “certain anomalies” in its systems, including a cyber intruder who had encrypted and potentially accessed sensitive information on the company’s servers.
In a notice posted on its website, Reventics said that forensics experts on Dec. 27 determined that the intruder had accessed and exfiltrated personal identifiable information and protected health information.
That data includes patients’ full names, birthdates, Social Security numbers, financial information, healthcare providers’ names and addresses, health plan names, clinical information, and codes for the medical procedures and services provided to the individuals, Reventics says.
Upon detecting the incident, and to mitigate any potential harm, Reventics says it “immediately took action to secure the affected systems and contain the incident.” The company notified its “other stakeholders” and engaged an international law firm to assist with notifying law enforcement, Reventics’ says in its sample notification letter.
“In the aftermath of the incident and on an ongoing basis, Reventics internal teams continue to work diligently with their third-party cybersecurity consultants to further fortify Reventics’ systems,” the letter says.
The proposed class action lawsuit, among other claims, alleges that Reventics “intentionally, willfully, recklessly or negligently failed to take and implement adequate and reasonable measures to ensure that representative plaintiff’s and class members’ PHI/PII was safeguarded.”
The lawsuit alleges that as a result of the breach, plaintiffs and class members “suffer forms of injury and/or harm, including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses” and continued risks of their PHI/PII being used for identity theft crimes, fraud and abuse.
The lawsuit complaint makes no specific references to Royal or to reports of Reventics’ stolen data allegedly showing up on the cybercriminal group’s dark web leak site. Plaintiffs and class members are seeking relief including damages and improvements to Reventics’ data security practices.
Neither Reventics nor attorneys representing the plaintiffs in the lawsuit against the company immediately responded to Information Security Media Group’s requests for additional details about the incident and comment on the litigation.
While it’s safe to assume that individual victims of a major data breach don’t want their stolen information posted on a dark web leak site, such developments can potentially bolster plaintiff lawsuits that invariably get filed in the aftermath of data security incidents, such as in the Reventics case, some legal experts say.
“If a data exfiltration victim’s PHI is listed for sale on the dark web, it can support assertions that the harm is ongoing or imminent from an Article III standing perspective,” said attorney Steven Teppler, partner and chief cybersecurity legal officer of law firm Mandelbaum Barrett PC.
“Because of the especially sensitive nature of PHI, the dark web presence for sale of data breach PHI, in my view, certainly supports arguments in support of finding harm or injury,” said Teppler, who is not involved in the Reventics lawsuit.
“Moreover, unlike other types of personally identifiable information offered for dark web sales – such as financial, etc. – PHI is, again in my view, evergreen and leaves the victim subject to ID theft, for medical services theft, other social engineering for a very long time.”
On the flip side, “just because information has not appeared for sale on the ‘easily accessible’ dark web after a hacking incident does not necessarily mean that it’s not being offered in more private sites, or simply being used by the threat actor for its internal purposes, such as corporate espionage,” Teppler said.