Cyber Incident Victim: North Shore Pain Management
Date:
May 2020
Location:
United States of America
Summary
A Massachusetts-based pain management practice fell victim to AKO ransomware operators employing a double extortion scheme, involving data exfiltration followed by system encryption. The attackers leaked over 4 GB of unencrypted protected health information, including patient names, diagnoses, Social Security numbers, insurance details, billing records, and financial documents such as checks and bank account information. The dumped data consisted primarily of PDFs and scanned documents rather than electronic medical records, exposing sensitive employee and patient data across thousands of files. AKO publicly showcased unredacted patient records on their Tor site to pressure the practice, demanding $350,000 for data deletion while threatening further leaks. The organization had not publicly confirmed the breach or its awareness of the data theft at the time of reporting, with the incident likely triggering regulatory notifications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 13, 2020, ransomware operators using the Ako variant targeted North Shore Pain Management (NSPM), a Massachusetts-based medical practice with two offices. The attackers employed a double extortion strategy modeled after the Maze ransomware group, first exfiltrating sensitive data before encrypting the victim’s systems. Ako publicly listed NSPM on their Tor-based leak site alongside six other entities, including medical, business, and educational victims. The group dumped over 4 GB of NSPM’s unencrypted files, primarily consisting of PDFs, scanned documents, and images, to pressure the practice into paying a $350,000 ransom for data deletion. The leaked data contained extensive protected health information (PHI) and employee records, including patient names, addresses, diagnoses, Social Security numbers, health insurance details, billing information, employer data, and workers’ compensation records. Ako demonstrated proof of access by posting an unredacted screenshot of a daily patient schedule on their site, revealing PHI such as appointment types, insurers, phone numbers, dates of birth, and Social Security numbers.
The dumped files included highly sensitive materials such as completed insurance claim forms, Explanation of Benefits (EOB) statements, bank account details, copies of checks with routing numbers, and payment records. One 134-page file contained insurance claims disclosing diagnosis codes, treatment codes, charges, and employer information. While some files were unrelated (e.g., Wild Tangent game images), the majority exposed operational and clinical data, indicating broad network access. DataBreaches.net attempted to contact NSPM via Twitter but received no response, leaving the practice’s awareness of the breach unconfirmed. The incident necessitated reporting to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) due to the exposure of unsecured PHI. Ako’s listing for NSPM emphasized non-payment of the deletion fee, implying further data releases if demands went unmet, though no additional leaks were documented in the immediate aftermath.