Fraud Management & Cybercrime , Ransomware

Ransomware Hackers Steal Medical Insurance Data of 1M People

Young Consulting Says Health Data Exposed; Ransomware Group Leaked Stolen Data
Ransomware Hackers Steal Medical Insurance Data of 1M People
Image: Shutterstock

An Atlanta-based software developer that works with people's health data is notifying nearly 1 million individuals that their personal information was stolen earlier this year by attackers. A ransomware group called BlackSuit claimed credit for the attack and leaked stolen data.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Young Consulting said in a report filed Monday that it's notifying 954,177 individuals "on behalf of Blue Shield of California" that their personal information was stolen.

Exposed information included an individual's name, birthdate, Social Security number and insurance policy and claim information.

Young Consulting develops software designed to help carriers, brokers and third-party administrators market, underwrite and administer medical stop-loss insurance, also known as excess insurance. This type of insurance provides protection against unexpected losses that could have a catastrophic effect on a business. It typically is purchased by U.S. organizations when they self-fund their employee benefit plans but don't want to cover 100% of the liability incurred for losses that exceed the deductibles specified under their insurance plan.

The consultancy said it first "became aware of technical difficulties in our computer environment" on April 13, after which it took multiple systems offline and brought in a third-party digital forensics firm "to determine the nature and scope of the event."

Investigators found the attack began on April 10 and ran until April 13. During that time, attackers stole data from Young Consulting's network.

The firm reviewed the stolen data to identify what personal information may have been exposed and shared this information with Blue Shield on June 28. "We then worked to identify appropriate contact information for the potentially impacted individuals so that we could provide notification," it said.

The company began notifying victims Monday. Under the HIPAA Breach Notification Rule, regulated entities must notify affected individuals no later than 60 days upon discovery of a HIPAA breach and report the incident to HHS' Office for Civil Rights within that same time frame if the breach affects 500 or more individuals.

"As part of our ongoing commitment to the privacy of information in our care, we are reviewing our policies, procedures and processes related to the storage and access of sensitive information to prevent something like this from happening in the future," Young Consulting said in a "notice of data privacy event" post on its website.

Ransomware Group Claims Victim

BlackSuit listed Young Consulting as a victim on its data leak site on May 7, claiming to have stolen a variety of types of business data and employee data - including copies of passports and medical results - as well as financial data and other data being stored on shared network drives.

Ransomware groups run data leak sites to help pressure current and future victims into paying, typically accompanied by increasingly belligerent threats. As is typical, the extortionists threatened to leak stolen data if the victim didn't pay a ransom.

"Top management completely refused to negotiate thinking that we are bluffing," the group posted, threatening to leak data within 72 hours unless it got paid. "Business partners and employees - remember, Young Consulting management does not care about you or your personal information."

BlackSuit's previous victims include the city of Dallas in a mid-2023 attack that disrupted public services. In mid-June, the criminals hit auto dealership software solutions giant CDK Global.

Blockchain analytics firm TRM Labs traced a June ransom payment of 387 bitcoins - then worth about $25 million, making it now the third-largest known ransomware payoff in history - to BlackSuit, although didn't identify the sender. Three other sources tracking the incident told CNN that CDK appeared to be behind the payment (see: Ransomware Again on Track to Achieve Record-Breaking Profits).

Security experts say BlackSuit is an offshoot of the Russian-speaking Conti ransomware group. According to leaks of Conti's internal communications, the cybercrime outfit was run as a regular business, counting about 200 employees. Conti shut down in 2022, following its leaders' disastrous decision to back Russian President Vladimir Putin's all-out war of conquest against Ukraine, which caused incoming ransom payments to dry up.

Before shutting down, Conti spun out multiple operations under different names, including a group called Royal, which quickly began hitting manufacturing, communications, education and especially healthcare organizations, according to U.S. officials.

"BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023," the U.S. Cybersecurity and Infrastructure Security Agency, together with the FBI, said in a joint alert issued earlier this month. "BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities."

The group typically demands ransoms, payable in bitcoin, ranging from $1 million to $10 million in value. In one case, it set an initial demand worth $60 million, although it often agrees to negotiate its prices down, CISA said.

"BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid," it said. "Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims' networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems."

CISA said the group regularly uses partial - or intermittent - encryption, especially for larger files, which facilitates much more rapid attacks (see: Strike Force: Why Ransomware Groups Feel the Need for Speed).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.