HIPAA/HITECH , Incident & Breach Response , Security Operations

Florida-Based Drug Testing Lab Says 300,000 Affected in Hack

Cybercriminal Gang RansomHub Claims It Leaked 700 Gigabytes of Lab's Stolen Data
Florida-Based Drug Testing Lab Says 300,000 Affected in Hack
American Clinical Solutions, which provides drug testing, told federal regulators a hack has compromised data of 300,000 individuals. (Image: ACS)

Florida drug testing medical laboratory American Clinical Solutions told federal regulators that 300,000 individuals are caught up in a hacking incident now that criminal gang RansomHub has published 700 gigabytes worth of data stolen from the lab's network.

See Also: Cyber Insurance Assessment Readiness Checklist

ACS, which provides patient testing for prescription and illicit narcotics to healthcare providers, reported the hacking incident on July 24 to the U.S. Department of Health and Human Services' Office for Civil Rights.

RansomHub on its dark web leak site claims the 700 gigabytes of data stolen from ACS includes Social Security numbers, addresses, drug test results, medical records, insurance information and other sensitive details. The site includes lab testing results from January 2016 until May 2024, the time of the alleged hacking incident.

"Information about an individual's use of opioids and medical marijuana is extremely sensitive," said privacy attorney David Holtzman of the consulting firm HITprivacy LLC.

"Unprotected patient information of this type could cause significant reputational harm or cause individuals to be subject to compromise through financial harm, through extortion or threats to their professional status," said Holtzman.

Several law firms, including Console & Associates P.C. and Chimicles Schwartz Kriner & Donaldson-Smith already have posted public statements on their websites saying they are investigating the incident for potential class action lawsuits.

As of Monday, ACS does not appear to have posted a breach notification statement about the incident on its website. ACS also did not immediately respond to Information Security Media Group's request for details about the data breach.

"ACS may be compounding the threat by not alerting patients to the existence of the type or scope of the breach incident," Holtzman said. "Hopefully, these facts will lead HHS or state attorneys general to look into whether ACS has complied with HIPAA standards and various state laws concerning notices for breach notification."

Medical organizations regulated by HIPAA typically must notify affected individuals within 60 days of discovery of a protected health information compromise.

There are a few limited exceptions for that breach notification timeline. "It could be that a law enforcement agency relayed that they should wait or they may have not ascertained the total number of affected individuals," said regulatory attorney Rachel Rose.

"Likely, there is a discussion going on behind the scenes," she said, referring to why ACS has not yet posted a public statement about the breach. "What also stood out to me is that this involves drug testing, which carries a higher sensitivity," she said.

While ASC is not a substance disorder treatment facility - such facilities fall under the umbrella of more stringent federal 42 CFR Part 2 privacy regulations, the sensitive nature of the compromised drug testing information nonetheless is concerning, she said.

"This type of PHI is typically considered more sensitive because of its nature - analogous to reproductive health, certain diseases such as AIDS, or mental health records," she said.

Who Is RansomHub?

RansomHub first surfaced in February and quickly took responsibility for major hacks in healthcare and other sectors.

It was the second gang to demand a ransom from Change Healthcare after the company's February ransomware attack by Alphv/BlackCat.

While Change Healthcare's parent company admitted paying a $22 million ransom in the attack, one of the BlackCat affiliates behind the Feb. 21 incident claimed BlackCat administrators kept the entirety of the ransom payment, rather than sharing the affiliate's cut.

That led to RansomHub claiming to have custody of the stolen Change Healthcare data and demanding a second ransom. UnitedHealth Group has publicly said it paid only one ransom in the incident (see: BlackCat Ransomware Group Seizure Appears to Be Exit Scam).

RansomHub also claimed to be behind a June attack on drug store chain Rite Aid, which affected the information of 2.2 million individuals (see: Rite Aid Says Ransomware Group Stole 2.2M Customers' Data).

Security firm Rapid7 in a recent report called RansomHub one of the most notable new ransomware groups.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.