Article Details

3AM ransomware stole data of 464,000 Kootenai Health patients. Kootenai Health has disclosed a data breach impacting over 464,000 patients after their personal information was stolen and leaked by the 3AM ransomware operation. Kootenai Health is a not-for-profit healthcare provider in Idaho, operating the largest hospital in the region, offering a wide range of medical services, including emergency care, surgery, cancer treatment, cardiac care, and orthopedics. The organization is notifying patients who received care at its facilities that it detected a cyberattack in early March 2024, which disrupted certain IT systems. An ongoing investigation shows that the cybercriminals gained unauthorized access to Kootenai's systems on February 22, 2024, allowing the threat actors ten days to roam the network and steal sensitive data. "On March 2, 2024, Kootenai Health became aware of unusual activity that disrupted access to certain IT systems," reads the notification submitted to Maine's AG Office. "The investigation revealed that an unknown actor may have gained unauthorized access to certain data from the Kootenai Health network on or about February 22, 2024." The examination of what data has been stolen as a result of this breach was concluded on August 1, confirming the following as exposed: Kootenai Health states that it's unaware of any misuse of the stolen information. It also enclosed instructions for impacted individuals to enroll in 12-24 months of identity protection services, depending on what data was exposed. Patients may also visit the hospital's announcement published on the Kootenai Health website for more information and support links. 3AM ransomware leaks the data The 3AM ransomware gang has claimed responsibility for the attack and leaked stolen data on its darknet portal, indicating that a ransom was not paid. The stolen data consists of a 22GB archive, available for free, allowing any other cybercriminal to download the data and utilize it in further attacks. 3AM is a Rust-based ransomware strain first reported in September 2023, seeing limited deployment as a fallback option for when more proven lockers failed. In January, Intrisec analysts reported seeing notable links between 3AM, Conti, and the Royal ransomware gangs, suggesting some association between the three gangs.