Carolina Arthritis notifies 37K patients of data breach that compromised medical info & SSNs

Carolina Arthritis Associates has issued 36,961 patients with a data breach letter following a cyber attack in September 2024. The attack was claimed by ransomware gang ThreeAM.

The data breach involves:

• Dates of birth
• Medical treatment or procedure information
• Medical record numbers
• Medical provider names
• Social security numbers

The North Carolina health center explains that the breach occurred following a “computer network disruption” on September 27, 2024. Ransomware gang ThreeAM came forward to claim the attack in October 2024.

Following its claim, databreaches.net spoke to ThreeAM about the incident. ThreeAM alleged that some negotiations had taken place with Dr. Harris but that these were a “waste of their time.” The hackers suggested that after asking ThreeAM for more time to meet their demands and for them to be more “reasonable” with their demands, Dr. Harris never offered a counter ransom amount. ThreeAM also provided databreaches.net with sample files, which appeared to include patient and employee data as well as usernames and passwords.

Carolina Arthritis hasn’t confirmed ThreeAM’s claims. Comparitech has contacted the clinic for more information and will update this article if it responds. In the meantime, those whose SSNs were impacted in the incident are being offered 12 months of complimentary identity protection services via CyberScout.

Who is ThreeAM?

ThreeAM (or 3AM), an alternative to LockBit, first started adding victims to its data leak site in September 2023. Since then, we’ve tracked eight confirmed claims alongside 46 unconfirmed claims.

Kootenai Health was also hit by ThreeAM in January 2024. This attack led to the breach of 464,088 records, making it the largest attack via this group based on records affected.

Addison Northwest School District is the only confirmed attack from ThreeAM this year so far but we are also monitoring five unconfirmed attacks.

Ransomware attacks on US healthcare companies

In 2024, we saw 139 confirmed ransomware attacks on US hospitals, clinics, and other direct care providers. These attacks impacted nearly 23.6 million records in total and saw an average ransom demand of just over $1 million.

Other recently confirmed breaches from 2024 include:

• Allegheny Health Network (AHN) – Attacked via LockBit in October 2024, leading to the breach of 292,773 records.
• River Region Cardiology Associates P.C. – Hit in September 2024 by BianLian with 500,000 people affected.
• Asheville Eye Associates, PLLC (AEA) – 193,306 people impacted following a breach in December 2024 via DragonForce.

Frederick Health and New York Blood Center Enterprises are the only confirmed attacks in this sector this year so far but there are a further 50 unconfirmed claims.

About Carolina Arthritis Associates

Located in Wilmington, North Carolina, Carolina Arthritis was founded in 1991 and provides the diagnosis and treatment of arthritis, autoimmune illnesses, connective tissue diseases, musculoskeletal disorders, and osteoporosis.