On June 10th, the Everest Group, a ransomware gang, publicly listed Avantic Medical Lab on their leak site, initiating a one-week countdown and displaying four screenshots of patient information as proof of a breach. While the exact timing of the attack and prior contact between Everest and Avantic remain unclear, Everest’s June 10th post served as an ultimatum for the lab to establish communication. It is currently unknown whether Avantic complied with this demand.
Despite the uncertainty surrounding Avantic’s response, Everest Group followed through on their threat, leaking a substantial 31 GB of patient files on July 3rd.
Avantic Medical Lab, based in Edison, NJ, operates as a full-service clinical laboratory, providing services to hospitals, physicians, and the broader New Jersey, New York, and Pennsylvania metropolitan areas. The leaked data contained a variety of sensitive patient information.
The compromised data included hundreds of “Patient Files” primarily related to blood draws conducted in 2018. Additionally, the leak contained information from “Explanation of Benefits” files from May 2023, referencing later testing dates for other patients, and a third folder titled “Accu Reference Send Out” also containing patient details.
Notably, the data tranche did not include databases, but rather batched reports of insurance responses and other correspondence.
The types of information exposed varied per individual and file, but could encompass a wide range of personal and medical data. This included full names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, referring doctor details, health insurance information (provider, policy number, member ID, claim ID), employer details, dates of blood draws, types of tests, blood test results, explanations of benefits, diagnoses, insurer correspondence, and even check or credit card information with expiration dates and CVVs for patients who paid directly.
As of the article’s publication, Avantic Medical Lab had not issued any public notice of the breach on their website, nor had a report appeared on the HHS’s public breach tool. DataBreaches, the source of this information, has reached out to Avantic Medical Lab for comment regarding the attack’s impact on their systems, and whether they have notified HHS, the New Jersey Division of State Police, or the affected patients
Reference:
