Teton Orthopaedics has recently informed over 13,000 individuals of a ransomware attack that was detected nine months ago. The disclosure highlights potential lapses in timely notification and public reporting following a cyber incident involving significant personal and medical data exfiltration.

**Initial Discovery:**

The breach was first identified on March 25, 2024, which coincided with the ransomware group DragonForce publicizing the attack. The breach timeline suggests unauthorized access occurred between January 16 and March 25, 2024.

Data Exfiltrated:

DragonForce claimed to have stolen 19.48GB of files, subsequently leaking plain text records that included patient demographics, medical history, and treatment information. Additional data related to internal operations, employee details, and billing were also exposed.

Delayed Notification:

Despite the breach's discovery in March, official notification to affected individuals in Massachusetts and Maine occurred only in December 2024. Teton Orthopaedics acknowledged the delay but did not clarify why notifications to the Health and Human Services (HHS) breach tool were not completed within the mandatory 60-day period.

Failed Negotiations?

DragonForce reported communication with Teton Orthopaedics in late March and early April regarding possible ransom negotiations. According to chat logs shared by the group, Teton initially expressed interest in negotiating but ultimately ceased communication by mid-April without reaching an agreement.

Sensitive Data Compromised

The compromised data includes personally identifiable information (PII) such as names, addresses, birth dates, health insurance details, and medical records. For some individuals, Social Security numbers, passport information, financial data, and government IDs were also affected.

The link has been copied!