Cyber Incident Victim: BST & Co. CPAs LLC
Date:
Dec 2019
Location:
United States of America
Summary
A ransomware attack targeting accounting firm BST & Co. CPAs compromised sensitive data belonging to its client Community Care Physicians, a large medical group, alongside BST employee information. The Maze ransomware gang infiltrated BST's network, exfiltrating patient details including names, birth dates, medical record numbers, and insurance data, as well as comprehensive employee records containing Social Security numbers and payroll information. While BST restored systems using backups and stated no confirmation of unauthorized data acquisition, Maze publicly posted stolen files, including client and internal documents. The medical group notified affected individuals but reported no evidence of data misuse. The incident underscores risks posed by third-party vendor vulnerabilities in healthcare data chains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 7, 2019, BST & Co. CPAs LLC, an accounting firm based in Albany, New York, discovered a virus had infected part of its network, blocking access to files. Forensic analysis determined the malware was active from December 4 to December 7. The compromised network stored client data, including files belonging to Community Care Physicians (CCP), a medical group with over 420 practitioners across 80 locations in upstate New York. An unauthorized external actor introduced the virus, which security researcher Brett Callow identified as ransomware linked to the Maze gang. Maze publicly posted stolen BST data on its website by January 2020, including employee records containing names, addresses, Social Security numbers, dates of birth, phone numbers, and pay rates. BST restored its systems using backups and engaged a forensic firm to investigate the incident’s scope. The accounting firm stated the breach potentially exposed client data containing names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions but confirmed patient medical records and Social Security numbers were unaffected.
Community Care Physicians acknowledged the breach impacted files BST maintained for accounting and tax services, affecting hundreds of thousands of patients annually. BST began notifying individuals whose data was stored on the compromised network and offered one year of prepaid identity theft monitoring. CCP emphasized no evidence suggested accessed data was misused, relying on BST’s restoration of files from backups. Despite BST’s claim that its investigation did not confirm unauthorized acquisition of personal information, Maze’s website displayed exfiltrated BST data, including database backups and an image of a company check. The Department of Health and Human Services had not listed the incident on its HIPAA Breach Reporting Tool as of February 2020. Security experts noted the attack exemplified ransomware gangs increasingly exfiltrating data to pressure victims, with Maze publishing stolen information publicly when ransoms were unpaid. The incident highlighted risks posed by third-party vendors, as hackers targeted BST to access multiple clients’ data, including healthcare entities. Emsisoft’s Callow stressed that organizations must assume ransomware incidents compromise data until proven otherwise, advocating faster breach notifications to enable timely consumer protections.