Full Report
The breach has affected 650,000 individuals at TTUHSC’s Lubbock campus and 815,000 at its El Paso branch
Analysis Summary
This incident report summarizes the data breach affecting the Texas Tech University Health Sciences Center (TTUHSC).
# Incident Report: TTUHSC Ransomware Attack and Data Exfiltration
## Executive Summary
A ransomware attack targeting the Texas Tech University Health Sciences Center (TTUHSC) between September 17 and September 29, 2024, resulted in the exfiltration of sensitive personal and medical data belonging to 1.4 million individuals, reportedly claimed by the ransomware group Interlock. The incident caused significant system disruptions, necessitating response actions including offering remediation services to affected parties.
## Incident Details
- Discovery Date: Unknown (Attack window between September 17 and September 29, 2024)
- Incident Date: September 17 - September 29, 2024
- Affected Organization: Texas Tech University Health Sciences Center (TTUHSC)
- Sector: Healthcare / Education
- Geography: USA (Texas)
## Timeline of Events
### Initial Access
- Date/Time: Commenced on or around September 17, 2024
- Vector: Ransomware attack (specific initial vector not detailed in the provided excerpt, but implied to be network-based given the systemic impact).
- Details: The attack window lasted for nearly two weeks before systems were compromised or the extent of the breach was realized.
### Lateral Movement
- Details: While specific steps are not detailed, the extent of the data exfiltration affecting 1.4 million records implies successful lateral movement within the TTUHSC environment.
### Data Exfiltration/Impact
- Details: Stolen data included names, Social Security numbers, addresses, dates of birth, government-issued ID numbers, financial account information, health insurance details, and medical records (diagnoses and treatments).
### Detection & Response
- Details: The response involved university confirmation of the breach and communication to affected individuals. The university is actively offering free credit monitoring services.
## Attack Methodology
- Initial Access: Ransomware attack (Claimed by the Interlock group).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied by the broad scope of data accessed.
- Collection: Sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI) were gathered.
- Exfiltration: Data exfiltration occurred prior to or concurrent with the ransomware deployment.
- Impact: Data theft, potential financial fraud risk, and operational system disruption.
## Impact Assessment
- Financial: Not explicitly stated, but significant costs related to forensics, notification, and credit monitoring services are expected.
- Data Breach: Personal and medical information of **1.4 million individuals** was compromised, including SSNs, financial info, DOBs, and PHI (diagnoses/treatments).
- Operational: Experienced "significant disruptions to university systems."
- Reputational: Inherent reputational damage associated with a large-scale health data breach.
## Indicators of Compromise
*Note: No specific IOCs were present in the provided text excerpt.*
- Network indicators: [Not provided]
- File indicators: [Not provided]
- Behavioral indicators: [Not provided]
## Response Actions
- Containment: The scope of the incident suggests immediate isolation of impacted systems was necessary (Implied).
- Eradication: Not detailed, but typically requires comprehensive malware cleansing and credential resets.
- Recovery: TTUHSC is offering **free credit monitoring services** to all affected individuals.
## Lessons Learned
- **Segmentation and Zero Trust:** The ability of the ransomware group to access and exfiltrate PII/PHI across systems highlights potential deficiencies in network segmentation or least-privilege enforcement.
- **Timely Reporting:** The need for enhanced monitoring to detect intrusions far sooner than the two-week attack window (Sept 17 to Sept 29).
## Recommendations
- Immediately review and enhance network segregation between standard administrative systems and high-value assets (like medical records systems).
- Mandate comprehensive, frequent security awareness training focusing on recognizing initial access attempts relevant to ransomware groups.
- Implement or enhance multi-factor authentication across all high-value accounts and remote access points to limit the impact of credential compromise.