An American laboratory specializing in home phlebotomy has disclosed a cyber-attack that occurred five months ago after data stolen in the attack turned up online.
Apex Laboratory opened in 1997 and is based in Farmingdale, New York. The company has provided medical testing services to hundreds of home health agencies and thousands of physicians in New York and South Florida.
On July 25, 2020, Apex learned that it had become the victim of a cyber-attack that rendered certain files and systems inaccessible. Network access was restored along with the impacted data, and the company resumed normal operations on July 27.
A third-party cyber forensic analyst was hired by Apex to investigate the attack. The investigation found no evidence of unauthorized access or acquisition of patient information, and Apex did not disclose the incident.
However, Apex discovered last month that the cyber-criminals behind the attack had stolen "personal and health information for some patients" and posted it online on their blog. Information believed to have been taken includes patient names, dates of birth, test results, and, for some individuals, Social Security numbers and phone numbers.
Apex is yet to reveal how many patients were impacted by the incident, but the laboratory did say that the information stolen by the threat actors could have been pinched over a four-day period.
"It is believed that this information may have been acquired from Apex’s systems between July 21, 2020 and July 25, 2020," stated Apex.
From a notice of data event posted by Apex on December 31, the attack sounds like it might have involved ransomware.
The notice states: "On July 25, 2020, Apex Laboratory of Farmingdale, NY ('Apex') discovered that it was the victim of a cyber-attack and that certain systems in its environment were encrypted and inaccessible."
Apex didn't say that it paid a ransom to the cyber-attackers; however, the speedy restoration of the impacted data and the removal of the stolen data from the hacker's blog might suggest some communication between the criminals and their victim has occurred.
The company said that it is "unaware of any actual or attempted misuse of any information other than the extracting of this data as part of the cyber-attack."