United Urology Group Listed on RandomHouse Data Leak Site

The RansomHouse threat group listed United Urology Group on its data leak site, together with samples of information purportedly stolen during the cyberattack. United Urology Group is a national network of urology specialists based in Maryland including Tennessee Urology, Arizona Urology Specialists in Phoenix, Scottsdale, Glendale & Mesa, Chesapeake Urology, Arizona Urology Specialists Tucson, and Colorado Urology. United Urology Group has not confirmed the occurrence of the cyberattack or data breach.

On May 23, RansomHouse threat actors announced having encrypted United Urology Group’s system on May 4 and stole approximately 300 GB of records. RansomHouse added a note to its listing addressed to the management of Urology Group. The note states that the threat group has proof of United Urology Group’s multiple HIPAA violations, and the following data:

  • ~ 3200 diagnostic data files
  • ~ 10,000 personal data records and files
  • ~ 1600 SSNs and other personal information
  • Over 10000 Radiology reports
  • ~ 1.6kk+ patient data records
  • Gaitherburg’s Cancer center’s information
  • Different NDAs and confidentiality agreements

DataBreaches is unable to verify all of the claims. A review of parts of a data tranche presented as evidence of claims did show numerous files including protected health information (PHI). One directory even showed many radiology reports of identified patients. Other files included other PHI and PII, for example, diagnoses reports and photos of driver’s licenses.

Certain files included company internal data. DataBreaches mentioned files that included logins and passwords that seemed to be new. DataBreaches didn’t test any credentials to find out whether they still work but it mentioned that the information also included security questions and answers for an employee.

Though DataBreaches found some evidence for part of RansomHouse’s statements regarding the types of data, the “multiple HIPAA violation” allegation seems exaggerated. DataBreaches’ examination of files discovered that United Urology Group records all incident “under 500 affected” reports to HHS as part of its yearly report. DataBreaches did not find anything that seemed specifically abnormal or noteworthy. Though any breach, such as a single mismailing of patient data, is not good and is reportable, they are inevitable.

United Urology Group’s website has no notification post yet. DataBreaches sent two emails to United Urology Group executives to find out what the company was doing as a reaction to the breach and if they already deactivated all the leaked login data. UUG has no response. When questioned about negotiations between UUG and RansomHouse, RandomHouse replied that there were no talks.

Tags

Daniel Lopez

Daniel Lopez

Daniel Lopez stands out as an exceptional HIPAA trainer, dedicated to elevating standards in healthcare data protection and privacy. Daniel, recognized as a leading authority on HIPAA compliance, serves as the HIPAA specialist for Healthcare IT Journal. He consistently offers insightful and in-depth perspectives on a wide range of HIPAA-related topics, addressing both typical and complex compliance issues. With his extensive experience, Daniel has made significant contributions to multiple publications such as hipaacoach.com, ComplianceJunction, and The HIPAA Guide, enriching the field with his deep knowledge and practical advice in HIPAA regulations. Daniel offers a comprehensive training program that covers all facets of HIPAA compliance, including privacy, security, and breach notification rules. Daniel's educational background includes a degree in Health Information Management and certifications in data privacy and security. You can contact Daniel via HIPAAcoach.com.

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Scroll to Top

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name