Pacific Pulmonary Medical Group (PPMG), a healthcare provider in California, is facing a major data breach after sensitive patient information was dumped on the dark web by the Everest Ransomware Team. The breach was first identified when the Everest Team added PPMG to its leak site, exposing a significant amount of unencrypted personal and protected health information. The leaked files included more than 150 image files, which featured the front and back of patients’ insurance cards, as well as images of driver’s licenses in some cases. Additionally, several .csv files were released containing detailed patient information.
The information exposed in the breach is extensive, comprising both personal and health data from 2021 to 2024. The personal data includes names, addresses, phone numbers, Social Security numbers, dates of birth, email addresses, and more. Health-related data includes patient ID numbers, appointment details, insurance information, and even emergency contact information. These files represent sensitive information for patients who may have visited PPMG over several years, with each .csv file covering a two-week period, containing between 300 to 500 rows of data on individual patient visits.
The most recent .csv file revealed data up to October 4, suggesting that the data was exfiltrated shortly before that date. As the breach includes multiple years of patient information, the full extent of the number of affected individuals is difficult to ascertain. However, each file likely represents numerous unique patients, increasing the breach’s scale and severity. The breach involves highly sensitive personal and healthcare data, which could lead to significant privacy concerns for affected individuals.
Despite the seriousness of the breach, Pacific Pulmonary Medical Group has yet to issue any public notification regarding the incident. No updates have appeared on their website, and the breach has not been reported through the U.S. Department of Health and Human Services’ breach tool. Efforts to reach PPMG for comment have been unsuccessful, leaving patients and the public in the dark about the full impact of this breach and the provider’s plans to address the situation.
Reference:
