Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Partnership HealthPlan of California IT Systems Still Down

Nonprofit Managed Care Provider Allegedly Hit by Hive Ransomware
Partnership HealthPlan of California IT Systems Still Down
PHC’s listing on Hive’s dedicated data leak site

This article has been updated to reflect that HiveLeaks removed PHC's listing from its darkweb site on Wednesday.

See Also: When Every Second Counts: A Guide to Ransomware Remediation for Security Professionals

An apparent ransomware attack and alleged data theft by the Hive cybercriminal group has left a California nonprofit managed care health plan provider struggling to recover its IT services for more than a week so far.

Fairfield, California-based Partnership HealthPlan of California in a notice posted on its website says it "recently began experiencing technical difficulties, resulting in a disruption to certain computer systems."

A voice greeting on PHC's member services line on Thursday told callers, "we are experiencing technical problems and all our systems are down with no expected time of repair."

PHC started notifying some regional healthcare clinics on March 21 that its systems were down, according to local news site The Press Democrat.

A listing on the dark web data leak site of ransomware group Hive on Tuesday, which has since been removed, claimed that PHC's data was encrypted on March 19 and "disclosed" on Tuesday. The HiveLeaks site claims data stolen from PHC includes 400GB of files from a file server and 850,000 "unique records" of personally identifiable information, including names, addresses, dates of birth and Social Security numbers.

PHC on its LinkedIn page describes itself as "a nonprofit community-based healthcare organization that contracts with the state to administer Medi-Cal benefits through local care providers to ensure Medi-Cal recipients have access to high-quality comprehensive cost-effective healthcare." Medi-Cal is California’s Medicaid program.

Processes Disrupted

In the statement posted on its website, PHC says: "We are working diligently with third-party specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality to our systems as soon as possible."

PHC's website statement also says that PHC currently is unable to receive or process treatment authorization requests, or TARs.

"For procedures scheduled within the next two weeks, inpatient admission or for urgent services, please proceed with providing the necessary treatments and the appropriate TARs can be completed retroactively."

A TAR is a form needed to preapprove funding for treatment and procedures covered by Medi-Cal.

PHC did not immediately respond to Information Security Media Group's request for details and comment about the incident.

Federal Warning

Federal authorities, including the FBI, and some security experts have been warning the healthcare sector and other industries about threats involving the Hive ransomware group.

The FBI issued an August 2021 warning about Hive ransomware threats.

Other healthcare sector entities reportedly hit by Hive include Memorial Health System, a three-hospital system based in Marietta, Ohio, which experienced a disruptive ransomware attack last August.

That incident resulted in MHS reporting to regulators in January a protected health information breach affecting nearly 216,500 individuals.

The MHS breach is also the subject of at least one proposed class action lawsuit that alleges negligence, among other claims.

The FBI in an alert issued August 2021 warned that Hive "uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments, to gain access and remote desktop protocol to move laterally once on the network."

After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network, the FBI alert says. "The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks," the alert says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.