Ransomware hackers gained access through Grant County computers

Regional mental consortium computers compromised

In mid-August, Grant County discovered its computers had been hacked and that the hackers were demanding compensation.

Now the Region 4 South Mental Health Consortium has sent out letters to its clients notifying them that their personal data and history with the consortium may have been compromised.

Region 4 provides mental health services to Grant, Stevens, Traverse, Pope, and Douglas counties.

In response to questions from the Grant County Herald on the status of the investigation into the ransomware attack, the county responded that it was continuing to carry out a “comprehensive evaluation of the data impacted by this incident to determine whether it has a legal obligation to provide a notice of a data breach.  

“If the county determines that it has a legal obligation to provide notification, it will do so in compliance with any applicable laws,” it said. Minnesota and federal laws come into play requiring notification to those whose data might have been compromised by the ransomware attack.

The Herald asked the county whether there had been a demand for compensation from the hackers.

“Yes, the cyber criminals demanded payment,” the county stated in an email to the Herald.  “The county refused to pay them. Our external IT providers were able to restore much of our data from our existing backups without paying the ransom to the cybercriminals and we are fully operational.”

Often when there is a ransomware attack, the criminals will demand compensation to unfreeze computers, restoring use access. However, they also can ask for compensation in exchange for not dumping private data they may have accessed on the internet for anyone to see.

No further information was given by the county on the ransomware attack with it saying the incident was still under investigation.

The Grant County Herald has also learned that there was an inadvertent release of access to a wide range of public data. A special closed emergency meeting was conducted by the county board June 23 to apparently address the situation.

Whether or not the county has notified those who data could have been accessed through the inadvertent provision of access to county data is not known at this time. 

County officials have said that this inadvertent release of information and the ransomware attack are two different incidents.

“This incident involves a ransomware attack from a cyber-criminal,” a statement from its breach counsel the Herald was told. “Grant County continues to coordinate with federal law enforcement and state entities to investigate and respond to this incident.”

“This incident does not involve inadvertent release by the county of access to its computers. This incident involves a ransomware attack,” the breach counsel said in response to questions submitted by the Herald.

Region 4 notifies clients

“Region 4 South Mental Health Consortium recently discovered an incident that involved personal information that we maintain about recipients of our services and certain current or former employees of Region 4 or predecessor entities,” a letter sent out by Administrator Kesha Anderson-Trinka Oct. 5 stated.

“We take this matter very seriously because we are committed to the privacy and security of all information in our possession,” Anderson-Trinka says in the letter.

Individuals whose personal information may have been compromised by the ransomware attack were sent the letter Oct. 5, however, not everyone was informed.

“Unfortunately, we did not have sufficient contact information to provide written notice to some individuals,” Anderson-Trinka says.

To notify those individuals for whom it does not have sufficient contact information, it has posted ransomware notice on its website and is providing a toll-free telephone number (833) 436-4323 for those with concerns. The number can be called between 8:30 a.m. and 4 p.m., Monday through Friday. Questions concerning whether an individual’s information was included in the data impacted by this incident will be answered.

“We are providing this notice to inform potentially impacted individuals, offer complimentary identity monitoring services to those whose Social Security number and/or driver’s license number was involved, and suggest ways that individuals can protect their information,” Anderson-Trinka said.

Region 4 says its computer network was affected by a ransomware attacked that hit Grant County Aug. 6.

“As soon as we learned this, we began working with the county and a nationally recognized digital forensics firm to understand what happened, contain the attack, and determine the scope of the incident. 

“Our external IT providers were able to restore much of our data from our existing backups without paying the ransom to the cybercriminals and Region 4 is fully operational. 

“Through our investigation of the incident, on August 29, 2023, we determined that some of Region 4’s data was taken from the county’s network. As soon as we learned this, we began an extensive review of the identified data to determine what information may have been involved and who may have been affected, so that we could provide notice,” Anderson-Trinka states in the letter.

What Information Was Involved

Information that may have been taken includes:

– A person’s name

– Social Security number

– Date of birth

– Information on the services a person has been provided

– Dates of the services

– Insurance identification numbers

– Billing information

“The information may have also included information regarding physical, medical, or mental health conditions, diagnoses, and/or treatment, medications, laboratory results or information related to substance use,” Anderson-Trinka states in the letter.

For a small number of individuals, the information included a driver’s license number. This incident did not impact our electronic medical record system.

What Region 4 clients should be doing

Region 4 recommends that clients take the following preventative measures to help protect your information:

1. Remain alert for incidents of fraud and identity theft by regularly reviewing any account statements, free credit reports and health insurance Explanation of Benefits (EOB) forms for unauthorized or suspicious activity. Information on additional ways to protect your information, including how to obtain a free credit report and free security freeze, can be found at the end of this notification.

2. Report any incidents of suspected identity theft to your local law enforcement, state Attorney General and the major credit bureaus.