On August 10, 2024, the Gramercy Surgery Center, which operates facilities in Manhattan and Queens, New York, was reported to have experienced a significant data breach. The hacking group Everest Team claimed responsibility, having added Gramercy to their leak site on July 15, 2024. While Everest Team asserted they had obtained over 460 GB of data, the initial proof provided consisted of images of two old files. Despite multiple attempts by DataBreaches to seek clarification from Gramercy, the organization did not respond to inquiries about the breach.
The breach was first detected by Gramercy on June 18, 2024. The center’s website disclosed that between June 14 and June 17, 2024, certain documents were copied or viewed during the attack. The compromised data includes sensitive personal information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical record numbers, treatment details, and health insurance information. However, Gramercy’s notice does not specify the exact number of affected individuals or the full extent of the compromised data.
Gramercy’s notice did not indicate any ransom demand from Everest Team, which typically does not encrypt files but may demand payment to avoid data leaks. The absence of a ransom demand suggests that Gramercy may not have engaged in negotiations with the attackers or failed to meet their demands. The leaked data is now available on the dark web, raising concerns about the security and privacy of the individuals involved.
The breach highlights the critical need for timely and transparent communication from organizations affected by data breaches. Gramercy has yet to notify the Department of Health and Human Services (HHS) or provide comprehensive information to affected patients. DataBreaches stresses the importance of informing individuals about data leaks so they can take appropriate measures to protect themselves from potential risks. This incident underscores the broader challenges faced by healthcare organizations in securing sensitive patient information against cyber threats.
Reference:
