Cyber Incident Victim: OnCallPractice
Date:
May 2022
Location:
United States of America
Summary
A ransomware group known as Bl00dy Ransomware Gang claimed responsibility for an attack impacting Primary Care of Long Island (PCOLI) and its associated vendor OnCallPractice, both operating from a shared medical facility. Sensitive patient data, including names, contact details, Social Security numbers, and dates of birth, was exfiltrated, with the attackers alleging possession of 900 GB of files from multiple entities at the location, including Brighter Dental Center. While PCOLI acknowledged unauthorized network access and data theft in a breach notification, the incident’s full scope remains unclear, as neither OnCallPractice nor Brighter Dental confirmed involvement or issued notifications. The attackers threatened to sell the stolen data, and service disruptions were observed, including OnCallPractice’s website being offline for an extended period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or about May 23, 2022, an unauthorized actor gained access to the network of Primary Care of Long Island (PCOLI), a medical practice located at 820 Suffolk Avenue, Brentwood, New York. The intrusion was detected by PCOLI, which issued an undated breach notification letter stating that on June 8, 2022, they were informed the intruder may have transferred files containing patient names, phone numbers, addresses, social security numbers, and dates of birth. The notification did not reference file encryption, service disruption, or ransom demands. Around the same time, the website oncallpractice.com—a business associate or vendor offering billing, appointment booking, and technology services at the same Brentwood address—was listed alongside PCOLI as part of the same incident by the "Bl00dy Ransomware Gang" on their Telegram channel on August 7, 2022. The threat actors claimed responsibility for both entities, though neither confirmed the attack. Evidence provided by the group included screenshots of patient data and images of a health insurance card, driver’s license, eligibility documentation, and a dental Visit Note related to Brighter Dental Center, another tenant at the shared address. The origin of these records remained unclear, as Brighter Dental was not listed as a victim, raising questions about whether data was exfiltrated directly from the dental practice or via OnCallPractice’s systems.
The Bl00dy Ransomware Gang asserted they encrypted victims’ files with a *.bl00dy extension, took servers offline, and possessed approximately 900 GB of data from three practices, though only PCOLI and OnCallPractice were publicly named. On August 14, 2022, Dr. Priti Patel of PCOLI reported a breach affecting 6,877 patients to HHS under "Priti Patel Physician PC," classifying it as a hacking/IT incident. The gang later claimed Dr. Prashant Patel, owner of Brighter Dental Center, managed the affected entities and shared snippets of a May 23, 2022, chat with him, aligning with PCOLI’s stated intrusion date. Despite this, Brighter Dental issued no breach notification within HIPAA’s 60-day deadline, and OnCallPractice’s website remained "under maintenance" as of September 11, 2022. None of the three entities—PCOLI, OnCallPractice, or Brighter Dental—responded to inquiries from journalists or confirmed the gang’s claims. The threat actors initially sought to recruit penetration testers and offered ransomware builds for sale, later threatening to sell the exfiltrated data after failing to receive ransom payments. PCOLI restored three of four subdomains within three weeks of the attack, but the full scope of compromised data and systems across the interconnected entities remained unverified.