Atlantic Dialysis Management Services, LLC Announces Data Breach Possibly Stemming from Ransomware Attack | Console and Associates, P.C.
On August 5, 2022, Atlantic Dialysis Management Services, LLC (“ADMS”) issued a press release confirming a data breach after management discovered that an unauthorized party had gained access to the company’s computer system and gained access to sensitive consumer data contained on ADMS’ network. According to ADMS, the breach resulted in patient names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information being compromised. Recently, ADMS sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Atlantic Dialysis Management Services data breach, please see our recent piece on the topic here.
More Information About the Atlantic Dialysis Management Services Data Breach
According to the company’s August 5, 2022 press release, on June 9, 2022, ADMS discovered unauthorized activity within its computer systems. In response, the company secured its network, changed all passwords, and began working with third-party cybersecurity professionals to investigate the incident.
The company’s investigation confirmed that an unauthorized user was able to gain access to certain files on the Atlantic Dialysis Management Services’ network. Further, the company learned that some of the affected files contained sensitive patient information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Atlantic Dialysis Management Services then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, Social Security number, date of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
On August 5, 2022, Atlantic Dialysis Management Services sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Atlantic Dialysis Management Services, LLC is a healthcare services company based in College Point, New York. The company establishes new dialysis treatment centers as well as provides services and support to dialysis centers. The following are ADMS-affiliated dialysis centers:
Astoria Dialysis Center in Astoria, N.Y.
Broadway Dialysis Center at Elmhurst Hospital Center in Elmhurst, N.Y.
Central Brooklyn Dialysis Center in Brooklyn, N.Y.
Central Park Dialysis Center, located in ArchCare at the Terence Cardinal Cooke Health Care Center in Manhattan, N.Y.
East End Management Services in Riverhead, N.Y.
Morrisania Dialysis Center at the Daughters of Jacob Nursing Home in the Bronx, N.Y.
New Hyde Park Dialysis Center in New Hyde Park, N.Y.
New York Renal Associates in the Bronx, N.Y.
Newtown Dialysis Center in Long Island City, N.Y.
Prospect Park Dialysis Center in Brooklyn, N.Y.
Ridgewood Dialysis Center in Ridgewood, N.Y.
Springfield Dialysis Center in Springfield Gardens, N.Y.
West Nassau Dialysis Center in Valley Stream, N.Y.
Atlantic Dialysis Management Services employs more than 352 people and generates approximately $64 million in annual revenue.
Was Atlantic Dialysis Management Services Patient Data Leaked on the Dark Web?
In its press release, Atlantic Dialysis Management Services notes that the company “is not aware of any evidence to suggest that any information has been misused. However, ADMS was unable to rule out the possibility that the information could have been accessed.” However, subsequent reports indicate that the hackers responsible for the breach had already posted portions of the leaked data on the dark web.
Based on these reports, the ransomware group Snatch Team orchestrated the ADMS breach and acquired more than 812 megabytes of patient data. As early as June 30, 2022—just a few weeks after the breach—the ransomware operators began posting some of the stolen data on the dark web. When a prominent data breach website reached out to Snatch Team to confirm the attack, the hackers provided additional proof, including more than 400 files that had not yet been shared on the leak site.
Based on the ADMS press release and the subsequent reporting on the incident, it appears that the Atlantic Dialysis Management Services data stemmed from a ransomware attack. Ransomware attacks are one of the most prevalent cyberattacks. In fact, according to the Identity Theft Resource Center (“ITRC”), the ransomware attacks in the U.S more than doubled between 2020 and 2021. For example, in 2021, there were a total of 321 successful ransomware attacks, each of which can impact tens of thousands of victims. Overall, ransomware attacks affected more than 41 million people in 2021, making them the second most common type of cyberattack behind email phishing attacks.
Most ransomware attacks involve a ransomware group installing malicious software on a victim company’s computer system, which locks the organization out. This malware also gives the hackers access to the files contained on the company’s network. Ransomware operators will also leave a note for system administrators, indicating that they will allow the company to access its network only if it pays a monetary ransom. In many cases, hackers have started to threaten to post the stolen information on the dark web as an additional incentive for a company to pay the ransom.
Data breach letters are designed to convey valuable information to victims of a breach. However, the effectiveness of these notices is called into question when a company states that there is no indication that victims’ information has been misused when in fact, there is verifiable evidence suggesting that the data is already on the dark web.
Data breach victims looking to learn more about their rights after a cyberattack, as well as their options to pursue a legal claim against the company that leaked their information, should reach out to an experienced data breach lawyer.