Threat Actor: ThreeAM | ThreeAM
Victim: Kootenai Health | Kootenai Health
Price: Not disclosed
Exfiltrated Data Type: Personal and health information
Key Points :
- Data breach affected over 464,088 patients.
- Incident occurred following a ransomware attack on February 22, 2024.
- Exfiltrated data includes names, dates of birth, Social Security numbers, and medical information.
- Kootenai Health is offering complimentary credit monitoring and identity theft protection services.
- ThreeAM ransomware gang leaked the stolen data on their Tor site after a ransom demand was not met.
- The organization implemented additional security measures post-incident.
Kootenai Health suffered a data breach impacting over 464,000 patients following a 3AM ransomware attack.
Kootenai Health disclosed a data breach impacting over 464,088 patients following the leak of their personal information by the ThreeAM (3AM) ransomware gang.
Kootenai Health is a healthcare organization based in Coeur d’Alene, Idaho. It is a regional medical center that provides a wide range of medical services, including emergency care, surgical services, cancer care, and specialized treatments. Kootenai Health is known for its focus on comprehensive care and has facilities for both inpatient and outpatient services.
According to the data breach notification letter shared with Maine’s Attornet General Office, on March 2, 2024, the company observed the disruption of access to certain IT systems. It launched an investigation with the help of leading cybersecurity experts.
The investigation revealed that threat actors breached the organization’s network on or about February 22, 2024. The attackers gained access to patients’ names, dates of birth, Social Security numbers, driverβs licenses or government-issued identification numbers, medical record numbers, medical treatment and condition information, medical diagnoses, medication information, and health insurance information.
“On March 2, 2024, Kootenai Health became aware of unusual activity that disrupted access to certain IT systems. Upon discovering this activity, we took steps to secure our digital environment.” reads the data breach notification letter. “The investigation revealed that an unknown actor may have gained unauthorized access to certain data from the Kootenai Health network on or about February 22, 2024. Kootenai Health then worked to conduct a comprehensive review of the impacted data to determine what personal and/or protected health information was involved and to verify the affected information and mailing addresses for impacted individuals to ensure we had the most up to date contact information. This process was completed on August 1, 2024.”
In response to the incident, the organization announced the implementation of additional security features and notified local authorities, including the Federal Bureau of Investigation. Kootenai Health is also offering complimentary credit monitoring and identity theft protection services through IDX, A Zero Fox Company.
The ThreeAM has already leaked stolen data on its Tor leak site, likely after the company refused to pay the ransom.
Symantecβs Threat Hunter Team discovered the 3AM ransomware family in September 2023. 3AM is a brand new ransomware written in Rust. Before starting the encryption process, the ransomware attempts to stop multiple services. Once the encryption of the files is completed, it attempts to delete Volume Shadow (VSS) copies. The malware appends the extension .threeamtime to the filenames of encrypted files. The ransomware is a 64-bit executable that supports multiple commands to stop applications from performing backups and security software.
The malware only encrypts files matching predefined criteria.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairsΒ βΒ hacking, Kootenai Health)