On mar 15, this site noted that the east Tennessee Children’s Hospital had posted a observation about an IT security incident. at the time, they did not identify the incident as a ransomware incident. DataBreaches.net subsequently found some explanation for that mark — a listing on a Russian-language forum offering data from ETCH with numerous screencaps and a compressed archive of files. The itemization was posted by a user affiliating with a group they called “NWGEN” and stated that although etch had been able to recoup from backup, they were “forgetting about the children’s files.”� The threat player claimed that they had “exfiled 700GB worth of .sql and .bak files(SSN, DoB, Full-names, Ages, Registered deceases and more..)” and were dumping 170GB of “useless” data at that point. A forum listing with data from ETCH seen on a Russian-language forum in March. The listing did not get much answer other than from single individual who noted that the archetype flood linkup did not work. Perhaps the attacker misgauged how much multitude might detest them for trying to capitalize on children’s sensitive information. in any event, there is no indication of how many people may have downloaded the data, and there was no further leak of ETCH data posted on that forum by that user. a quick tab of other sites did not find the data from etch on two other popular forums where hacked data are often leaked (but of course, there are more than trine places on the internet where such data mightiness be shared). Today, The Daily times in tn has an update on the incident and reports that a new press outlet was issued by the hospital yesterday.� The following is portion of that pressure release: What Happened?�On march 13, 2022, etch identified unusual action on its network. We promptly began taking steps to secure our systems and commenced a comprehensive investigation into the incident. Through the investigation to date, we have determined that etch experienced a cyber incident. While our investigation is ongoing, on march 18, 2022, we determined that certain documents stored within ETCH�s environment may have been copied from or viewed on the system as component of the cyber incident between march 11, 2022 � march 14, 2022. Based on the investigation, ETCH is currently working to see the orbit of potentially affected information and conducting a detailed review of the potentially impacted data to mold the type of information present and to whom it relates. This effort is currently ongoing. What Information Was Involved? While the investigation to determine the full scope of potentially affected info is ongoing and may variegate by individual, the relevant ETCH systems may take the following types of info at the time of the event: names, date of birth, Social surety number, driver�s license or country identification number, non-resident recognition number, other demographic information, medical information, health insurance information, citation or debit card information, financial information, billing information, other personal health information, and usernames and passwords. The full press waiver can be found on ETCH’s website, here. But “may have been copied or viewed?”� etch had direct knowledge and proof as to some of what had happened, as they actually negotiated with the threat actors and were presumption multiple examples of proof.� Then, too, some data were actually dumped and made freely available to the public. The terror actors also uploaded some of the negotiations between them and “Todd,” someone who claimed to be an IT employee for ETCH, but used a Yahoo.com address.� at ace point, the negotiator indicated that they would reduce their demand to $300,000.00. The deadline given to ETCH to pay came and went, and it appears the initial data dump was reuploaded by the archetype poster to another file-sharing site on April 1. Yet no additional data has been leaked. Does that mean that there is still some negotiation going on? ETCH’s press vent is totally silent on the issuance of ransom or any negotiations. But should etch experience told people that they live some data has already been dumped on the internet? How much personnel information does that 3.8 GB compressed archive contain? And what, if anything, hold the attackers done with any patient data?
