Hive ransomware group claims to steal California health plan patient data

The Hive ransomware group, known for attacking healthcare organizations, posted on its dark web site that it has stolen 850,000 personally identifiable information (PII) records from the Partnership HealthPlan of California.

The organization’s website currently consists of a landing page that says the health plan has been “experiencing technical difficulties,” including a “disruption to certain computer systems.” The organization’s phone systems have a similar message, with a recorded message saying that “all of our systems are down, with no expected time of repair.”

“We are working diligently with third-party specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality to our systems as soon as possible,” the health plan said in the message on its website, which is not dated.

The Partnership HealthPlan of California says it has set up Gmail addresses for patients and providers to contact. VentureBeat has emailed the address for general inquiries.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said in a message to VentureBeat that “establishing alternative communication channels is a standard play in incident response.”

“Even if your email system is working, the attackers could have access and be able to monitor communications,” Callow said.

The technical issues appear to have begun several days ago. The Press Democrat reported on the issues on March 24, without mention of a cyberattack, and indicated that the health plan has more than 618,000 members in Northern California.

The Hive ransomware group posted its claim about the stolen Partnership HealthPlan of California data on Tuesday. The data includes 850,000 unique PII records, such as name, social security number and address, according to the group. The stolen data also includes 400 GB of stolen files from the organization’s server, Hive claimed.

Update, March 30: The Partnership HealthPlan of California website, viewed as of March 30 at 4:30 p.m. PST, had been updated to say that the organization “recently became aware of anomalous activity on certain computer systems within its network”:

We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation. Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines.

“HiveLeaks”

The Hive ransomware group has been active since at least June 2021, which is the first time the group posted on its “HiveLeaks” dark web site.

Past reported ransomware attacks by Hive have included an August 2021 attack against Memorial Health System, which has hospitals in Ohio and West Virginia, and an October 2021 attack against Johnson Memorial Health in Indiana.

A previous alert from the FBI warned that the Hive ransomware group “likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.”

“Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the FBI said. “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks.'”