Kootenai Health data breach impacted 464,000 patients

Kootenai Health suffered a data breach impacting over 464,000 patients following a 3AM ransomware attack.

Kootenai Health disclosed a data breach impacting over 464,088 patients following the leak of their personal information by the ThreeAM (3AM) ransomware gang.

Kootenai Health is a healthcare organization based in Coeur d’Alene, Idaho. It is a regional medical center that provides a wide range of medical services, including emergency care, surgical services, cancer care, and specialized treatments. Kootenai Health is known for its focus on comprehensive care and has facilities for both inpatient and outpatient services.

According to the data breach notification letter shared with Maine’s Attornet General Office, on March 2, 2024, the company observed the disruption of access to certain IT systems. It launched an investigation with the help of leading cybersecurity experts.

The investigation revealed that threat actors breached the organization’s network on or about February 22, 2024. The attackers gained access to patients’ names, dates of birth, Social Security numbers, driver’s licenses or government-issued identification numbers, medical record numbers, medical treatment and condition information, medical diagnoses, medication information, and health insurance information.

“On March 2, 2024, Kootenai Health became aware of unusual activity that disrupted access to certain IT systems. Upon discovering this activity, we took steps to secure our digital environment.” reads the data breach notification letter. “The investigation revealed that an unknown actor may have gained unauthorized access to certain data from the Kootenai Health network on or about February 22, 2024. Kootenai Health then worked to conduct a comprehensive review of the impacted data to determine what personal and/or protected health information was involved and to verify the affected information and mailing addresses for impacted individuals to ensure we had the most up to date contact information. This process was completed on August 1, 2024.”

In response to the incident, the organization announced the implementation of additional security features and notified local authorities, including the Federal Bureau of Investigation. Kootenai Health is also offering complimentary credit monitoring and identity theft protection services through IDX, A Zero Fox Company.

The ThreeAM has already leaked stolen data on its Tor leak site, likely after the company refused to pay the ransom.

Symantec’s Threat Hunter Team discovered the 3AM ransomware family in September 2023. 3AM is a brand new ransomware written in Rust. Before starting the encryption process, the ransomware attempts to stop multiple services. Once the encryption of the files is completed, it attempts to delete Volume Shadow (VSS) copies. The malware appends the extension .threeamtime to the filenames of encrypted files. The ransomware is a 64-bit executable that supports multiple commands to stop applications from performing backups and security software.

The malware only encrypts files matching predefined criteria.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kootenai Health)