Hackers hit UM and posted patients’ private info. School won’t discuss details
Hackers targeted the University of Miami in a massive and brazen “ransomware” scheme that at the very least has compromised the personal information of an unknown number of medical patients.
The university is one of a string of businesses, government agencies and schools hit in recent months through Accellion file-sharing software. They include the oil and gas giant Shell, law firm Jones Day (whose clients include former President Donald Trump), the supermarket chain Kroger and the Washington State Auditor’s Office, where it impacted more than 1.6 million people.
The scope of the data breach at UM isn’t clear. The university disclosed the attack in a web posting Tuesday — weeks after several other universities — but refused to provide details. The post downplayed the impact: “Accellion had been used by a small number of individuals at UM to transfer files too large for email. The University has since discontinued use of Accellion file transfer services.”
‘DARK WEB’
But cyber criminals posted a few dozen patients’ personal information, including their Social Security numbers and addresses in some cases, on the internet in the sophone. called “dark web,” which is often used by digital crooks. Brett Callow, a cybersecurity expert based in Canada, said that amounts to an extortion threat — pay up or we’ll expose more of your protected data.
“It’s the equivalent of a kidnapper sending a pinky finger,” he said.
As of Wednesday, UM had not yet alerted affected patients but said it intended to do so. “Once our investigation and data analysis are complete, we will notify affected individuals under applicable laws,” the university said in the Tuesday posting.
UM didn’t issue a press release about the breach. Instead, it published an email message on a web page that it uses for “key institutional emails that are sent out to various UM constituencies.” It was unclear who received the Tuesday email message about the cyberattack. At least two UM employees confirmed to the Miami Herald they got the correspondence, but none of the three patients interviewed reported getting it.
William Budd, who has been a patient at UHealth since 1999 and is fighting cancer, said the first time he heard his information had been compromised was when a Herald reporter called him Wednesday. Hackers posted his email address and phone number but could potentially have more of his personal details and release them.
“Let me sit down,” he told the reporter on the
“I feel like I should be sitting down to hear what you have to say.”
Budd said he hadn’t received any emails, phone calls, text messages or letters warning him that hackers had stolen his data. He said that if he had, he would’ve notified credit bureaus about it and taken other precautions weeks or even months earlier.
“What bothers me most is nobody from UHealth has contacted me,” he said. “That’s serious. It’s disturbing.”
Lisa Worley, a spokeswoman for UHealth, didn’t respond to requests for comments.
WHAT WE KNOW ABOUT HOW UM HANDLED THE HACK
The cyberattack was targeted through software produced by Accellion.
The California-based company said in a Feb. 1 statement it “promptly notified” all of its customers about the “sophisticated cyberattack” on Dec. 23.
A university spokeswoman would not say when the school discovered the attack. It is unclear why UM waited until this week to disclose the breach. The University of Colorado, which saw student grades and copies of checks stolen, put out information about the incident on Feb. 12. The Southern Illinois University School of Medicine divulged it March 4.
UM’s web posting said that based on its ongoing investigation, “the incident was limited to the Accellion server used for secure file transfers and did not compromise other University of Miami systems or affect outside systems linked to the University of Miami’s network.”
The university did not provide information on how many UHealth patients’ data might have been compromised or whether other university departments or students records were impacted. It is unclear whether UM received a ransom message or if it paid or was planning to pay the hackers.
Responding to questions, Megan Ondrizek, the executive director of communications and public relations at UM, emailed a short written statement that included some of the text in the Tuesday web posting and read in part:
“As soon as we became aware of the incident, we took immediate action to investigate and contain it. We also retained leading cybersecurity experts to assist with our investigation. We have reported the incident to law enforcement and are cooperating with their investigation.”