Cyber Incident Victim: Lamoille Health Partners
Date:
Jul 2022
Location:
United States of America
Summary
A Vermont-based community health provider experienced a ransomware attack by the BlackByte group, resulting in the exfiltration and leak of sensitive patient and employee data. The compromised information included patient names, dates of birth, Social Security numbers, medical conditions, and payroll details. Despite the confirmed data exposure, the organization delayed patient notifications while investigating the incident. The attack impacted 59,381 individuals, prompting offers of credit monitoring for those with exposed Social Security numbers. BlackByte employed a double extortion model, threatening further leaks, though their original leak site later shut down, leaving the status of the stolen data unresolved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 8, 2022, Lamoille Health Partners, a Vermont-based community health provider offering dental, medical, pediatric, addiction treatment, pharmacy, and mental health services, experienced a cybersecurity incident involving the BlackByte ransomware group. BlackByte claimed responsibility for the attack and published stolen data on its dedicated leak site. The leaked data included two folders named after Lamoille employees. One folder contained accounting, billing, and payroll records with some protected health information (PHI) identifying patients through billing details. The second folder held highly sensitive patient data, including names, dates of birth, Social Security numbers, medical conditions, disabilities, and documentation of requested accommodations or services. BlackByte employed a double extortion model, threatening further leaks if ransom demands were unmet, with a countdown timer indicating additional data releases within approximately 18 days.
Lamoille Health Partners initially did not publicize the breach on its website or through the Vermont Attorney General’s breach reporting portal. By July 11, Lamoille’s CEO acknowledged the incident to media but characterized the cause as unclear, stating it could have resulted from malware rather than a deliberate attack. The organization admitted it had not yet notified affected patients and provided no timeline for disclosures, citing a need for more information before acting. On August 17, Lamoille reported the incident to the U.S. Department of Health and Human Services (HHS), disclosing that 59,381 individuals were impacted. The organization later updated its public notice, offering complimentary identity protection and credit monitoring to individuals whose Social Security numbers were exposed. BlackByte’s original leak site subsequently became inaccessible, and its replacement omitted prior victims like Lamoille, leaving the status of the exfiltrated data unresolved. The breach exposed sensitive patient and employee information, triggered an automatic HHS investigation, and raised concerns about compliance with federal security regulations.