{
	"id": "e1a4959a-4170-45c4-b136-0c9a2d5d56ba",
	"created_at": "2026-04-11T02:23:17.369594Z",
	"updated_at": "2026-04-11T02:24:15.542231Z",
	"deleted_at": null,
	"sha1_hash": "0993e794da5cc05173a9ecee138bdb78d4254053",
	"title": "East Tennessee Children's Hospital updates information on ransomware incident - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 374920,
	"plain_text": "East Tennessee Children's Hospital updates information on\r\nransomware incident - DataBreaches.Net\r\nPublished: 2022-04-08 · Archived: 2026-04-11 02:02:44 UTC\r\nOn March 15, this site noted that the East Tennessee Children’s Hospital had posted a notice about an IT security\r\nincident. At the time, they did not identify the incident as a ransomware incident.\r\nDataBreaches.net subsequently found some explanation for that notice — a listing on a Russian-language forum\r\noffering data from ETCH with numerous screencaps and a compressed archive of files. The listing was posted by\r\na user affiliating with a group they called “NWGEN” and stated that although ETCH had been able to recover\r\nfrom backup, they were “forgetting about the children’s files.”  The threat actor claimed that they had “exfiled\r\n700GB worth of .sql and .bak files(SSN, DoB, Full-names, Ages, Registered deceases and more..)” and were\r\ndumping 170GB of “useless” data at that point.\r\nhttps://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/\r\nPage 1 of 4\n\nA forum listing with data from ETCH seen on a Russian-language forum in March.\r\nThe listing did not get much response other than from one individual who noted that the original torrent link did\r\nnot work. Perhaps the attacker misgauged how much people might detest them for trying to capitalize on\r\nchildren’s sensitive information. In any event, there is no indication of how many people may have downloaded\r\nthe data, and there was no further leak of ETCH data posted on that forum by that user. A quick check of other\r\nsites did not find the data from ETCH on two other popular forums where hacked data are often leaked (but of\r\ncourse, there are more than three places on the internet where such data might be shared).\r\nToday, The Daily Times in Tennessee has an update on the incident and reports that a new press release was issued\r\nby the hospital yesterday.  The following is part of that press release:\r\nWhat Happened? On March 13, 2022, ETCH identified unusual activity on its network. We promptly\r\nbegan taking steps to secure our systems and commenced a comprehensive investigation into the\r\nincident. Through the investigation to date, we have determined that ETCH experienced a cyber\r\nhttps://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/\r\nPage 2 of 4\n\nincident. While our investigation is ongoing, on March 18, 2022, we determined that certain documents\r\nstored within ETCH’s environment may have been copied from or viewed on the system as part of the\r\ncyber incident between March 11, 2022 – March 14, 2022. Based on the investigation, ETCH is\r\ncurrently working to determine the scope of potentially affected information and conducting a detailed\r\nreview of the potentially impacted data to determine the type of information present and to whom it\r\nrelates. This effort is currently ongoing.\r\nWhat Information Was Involved? While the investigation to determine the full scope of potentially\r\naffected information is ongoing and may vary by individual, the relevant ETCH systems may contain\r\nthe following types of information at the time of the event: names, date of birth, Social Security\r\nnumber, driver’s license or state identification number, non-resident identification number, other\r\ndemographic information, medical information, health insurance information, credit or debit card\r\ninformation, financial information, billing information, other personal health information, and\r\nusernames and passwords.\r\nThe full press release can be found on ETCH’s website, here.\r\nBut “may have been copied or viewed?”  ETCH had direct knowledge and proof as to some of what had\r\nhappened, as they actually negotiated with the threat actors and were given multiple examples of proof.  Then, too,\r\nsome data were actually dumped and made freely available to the public.\r\nThe threat actors showed a negotiator for ETCH numerous files that they had exfiltrated during\r\nnegotiations. These are just some. Redacted by DataBreaches.net.\r\nhttps://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/\r\nPage 3 of 4\n\nThe threat actors also uploaded some of the negotiations between them and “Todd,” someone who claimed to be\r\nan IT employee for ETCH, but used a Yahoo.com address.  At one point, the negotiator indicated that they would\r\nreduce their demand to $300,000.00.\r\nThe deadline given to ETCH to pay came and went, and it appears the initial data dump was reuploaded by the\r\noriginal poster to another file-sharing site on April 1. Yet no additional data has been leaked. Does that mean that\r\nthere is still some negotiation going on?\r\nETCH’s press release is totally silent on the issue of ransom or any negotiations.\r\nBut should ETCH have told people that they know some data has already been dumped on the internet? How\r\nmuch personnel information does that 3.8 GB compressed archive contain?\r\nAnd what, if anything, have the attackers done with any patient data?\r\nUpdate May 23, 2022:  ETCH reported this incident to the Maryland AG’s Office on May 19 as impacting\r\n422,531 people.\r\nSource: https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/\r\nhttps://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/"
	],
	"report_names": [
		"east-tennessee-childrens-hospital-updates-information-on-ransomware-incident"
	],
	"threat_actors": [],
	"ts_created_at": 1775874197,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0993e794da5cc05173a9ecee138bdb78d4254053.pdf",
		"text": "https://archive.orkl.eu/0993e794da5cc05173a9ecee138bdb78d4254053.txt",
		"img": "https://archive.orkl.eu/0993e794da5cc05173a9ecee138bdb78d4254053.jpg"
	}
}