Cyber Incident Victim: Leon Medical Centers
Date:
Dec 2020
Location:
United States of America
Summary
The Conti ransomware group compromised Leon Medical Centers through a phishing email that exploited a Citrix access point, leveraging the CVE-2020-0796 vulnerability to escalate privileges and gain domain administrator credentials. Attackers exfiltrated nearly 2 million files containing sensitive employee payroll data, banking records, COVID-19 test results, and internal compliance documents, alongside patient appointment records, referral scans, and personally identifiable information including names, birthdates, Social Security numbers, and visit details. The breach exposed financial accounts, disciplinary records, and health-related files impacting hundreds of thousands of patients and staff, with evidence suggesting inadequate security controls for sensitive data storage and access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Conti ransomware group attacked Leon Medical Centers (LMC) in Florida, first compromising the organization through a phishing email sent in September that was opened by a user with Citrix access. Using the CVE-2020-0796 vulnerability, Conti escalated privileges to local administrator level, then deployed the BloodHound tool to identify computers storing domain administrator credentials. After locating a target computer, they gained domain-wide access and discovered unsecured passwords for local administrator accounts, backups, SQL servers, and other resources. Conti subsequently accessed the workstations of LMC’s domain administrators, extracted credentials using the Mimikatz tool, and leveraged RDP connections to obtain passwords from KeePass password managers, ultimately compromising the antivirus server. The attackers exfiltrated data from multiple directories, including finance, HR, patient records, and operational documents, before initiating data dumps in November.
Conti exfiltrated approximately 1.97 million files containing sensitive employee and patient data. Finance directory leaks included payroll records from 2005 onward with employee names, full SSNs, ID numbers, weekly pay amounts, and emergency contacts. HR files disclosed COVID-19 test results for named personnel, disciplinary records, and "break the glass" patient access settings. Patient data included 1.47 million appointment/service records (2013-2015) with names, genders, DOBs, appointment details, physician information, visit reasons, insurance data, and photos, plus 300,000 referral/test order scans (2009-2019) containing handwritten notes, SSNs, and additional photos. Operational files included compliance documents related to risk, privacy, OSHA, and workers' compensation. LMC initially dismissed Conti’s claim of breaching 1 million patients as exaggerated, though the volume of unique files suggested impacts on hundreds of thousands of patients and employees. No evidence indicated full EMR or bulk insurance records were stolen. LMC did not respond to DataBreaches.net’s request for comment prior to publication. The breach necessitated notifications to patients, employees, and HHS, while exposing financial accounts to potential fraud. HHS was expected to investigate LMC’s pre-incident risk assessment practices and vulnerability remediation timelines.