At-home laboratory services provider Apex Laboratory said hackers stole some patient data during a ransomware attack that took place several months ago.
Established in 1997 and headquartered in Farmingdale, New York, Apex Laboratory provides medical testing services in the New York Metropolitan and surrounding areas. In 2007, Apex opened a South Florida location.
In a data breach notification published last week, the company announced that, on July 25, 2020, it discovered a cyberattack that resulted in systems being encrypted and becoming inaccessible.
Apex said it was able to secure its network, restore affected data, and resume operations on July 27, and claims that its investigation into the incident did not reveal evidence of unauthorized access or acquisition of patient information.
“However, on December 15, 2020, Apex learned that the hackers posted information on their blog about the attack and listed data taken that contained personal and health information for some patients,” the company revealed.
While looking into the attackers’ claims, Apex discovered that the data might have been stolen from its systems between July 21 and July 25, 2020.
The medical services provider says that, for some of its patients, stolen data includes names, dates of birth, phone numbers, Social Security numbers, and test results.
“Additionally, Apex is unaware of any actual or attempted misuse of any information other than the extracting of this data as part of the cyber-attack,” the company said.
While continuing to investigate the security incident, Apex is in the process of notifying affected individuals via written mail and said it also contacted law enforcement.
While the company did not reveal information on the threat actor behind the attack, DataBreaches reports that the DoppelPaymer ransomware was used to encrypt Apex Laboratory’s systems.
DoppelPaymer operators are known for exfiltrating data from compromised environments, to pressure victims into paying the ransom.
On December 15, DoppelPaymer operators made public roughly 10,000 files they claim to have been stolen from Apex. In addition to data on hundreds of patients, employee information was also stolen in the incident, it appears.
In its data breach notification, Apex Laboratory said it “ensured that the data was removed from the hacker’s blog,” without providing further details on whether that involved paying the attackers or whether the hackers continue to be in the possession of stolen data.