Pacific Healthworks, a management services provider for at least 1200 hospital-based physician groups, is claimed by the Everest ransomware group, along with hundreds of sensitive data samples from at least 50 medical groups they serve.
Headquartered in the Southern California city of El Segundo, Pacific HealthWorks' physician group clients specialize in Emergency Room, critical and ICU care, hospitalized patients, anesthesia, and psychiatry, as well as physician assistants (scribes) who handle medical electronic health records (EHR) for the doctors.
Everest posted Pacific HealthWorks (PHW), along with PHW sister company, La Perouse, another West Coast-based healthcare management service organization (MSO), on its dark victim blog over the weekend.
“Billing data, as well as personal data of more than 50 organizations, will be published if the company does not contact us using the contacts below,” Everest wrote under the PHW victim post.
“Company representative should follow the instructions to contact us before time runs out,” the gang says, but does not indicate when the “deadline” is.
Hundreds of sample files appear on leak site
Between the two companies, the ransomware gang has provided hundreds of file samples to prove its get, including a mass of internal company documents and private patient data. A combined total of about 5000 individuals have already viewed the victim's posts.
Cybernews was able to view the alleged samples, which show databases chock-full of patient (and what appears to be some employees) personally identifiable information (PII), including:
- Name, social security number, date of birth
- Address, email, home phone, cell phone
- Gender, race, marital status, financial class
- Medical and billing records
- Insurance and medical ID #s
- Insurance claims with diagnosis codes
Headquartered in the Southern California city of El Segundo, the healthcare organization provides MSO services to over 70 operating entities, 1,200 medical clinics, physician groups, and hospitals, servicing over 1.4 million patients annually, according to its website.
Dozens of data samples from other PHW-connected companies, including Emergent Medical Associates, Benchmark Hospitalists & Intensivists, and AnesthesiaWorks, were also found on the leak site.
No ransom payment date or countdown clock appears for either company. “Publishing this data will be fatal for you,” the group tells La Perouse.
It is also unclear when exactly the breaches took place, as Evererst lists July 8th under the PWC post, and August 8th for La Perouse, which could be a typo.
Cybernews has reached out to Pacific HealthWorks on Monday, but has not received a response at the time of this report.
Everest heats up with summer attacks
The Russian-linked Everest gang first emerged on the scene in July 2021. On July 26th, Everest identified Mailchimp, the email marketing giant, as its latest victim, publishing a link to the purported stolen data just last week.
The popular Crumbl cookie company was claimed just one day earlier, but has since disappeared from the Everest victim leak site, leading to speculation that the US-based gourmet dessert franchise decided to fork over an undisclosed ransom payment.
The gang also went after the BitBox crypto management and Bitcoin cold storage company last month, allegedly exfiltrating a cache of internal documents from the Switzerland-based firm, including sensitive client information.
According to Cybernews’ dark web tracker Ransomlooker, the gang has listed 248 victims since 2023, with 90 victims in the past 12 months, including a recent spate of attacks targeting the Middle East.
“Everest is quite bold in their targeting and doesn’t hesitate to go after sensitive sectors, government agencies, and hospitals,” Martin Vigo, lead security researcher at AppOmni, told Cybernews in May.
According to Vigo, the group has shifted its tactics over the years, relying less on encryption to lock down systems and more on stealing and leaking data, using their dark leak site as a “pressure mechanism.”
"Victims are publicly named, and partial datasets are published to demonstrate the seriousness of the breach. This creates reputational and legal pressure, particularly for high-profile targets, and increases the likelihood of a payout.” Vigo said.
Believed to be connected to the BlackByte ransomware group, on May 22nd, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers scattered throughout the region.
Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler based in the UK, the ransomware group also reportedly made away with an alleged 23 million records.
Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).
The gang was also behind the October 2022 attack on AT&T, offering alleged access to the entire AT&T corporate network and the Radisson Country Inn and Suites hotel chain in fall 2024.
Your email address will not be published. Required fields are markedmarked