BlackCat targets Grace Lutheran Communities; employee and resident data compromised
Well, you won’t believe what’s been causing a stir in Wisconsin recently. Yes, I’m afraid it’s yet more news around potential cybersecurity issues with regard to healthcare data. You’d think by now, in 2024 no less, we’d have the basics of data protection down to a science, don’t you think? But, unfortunately, it appears the saga continues.
Grace Lutheran, a rather comprehensive healthcare establishment in Wisconsin has been in the spotlight due to some rather concerning data breach upsets. They proudly cater to the community’s needs with a range of services including, assisted living, rehabilitation services, independent living, childcare, and even skilled nursing. Lovely people doing a crucial job I reckon, but they’ve run into a bit of a sticky wicket, cyber-wise.
Back on February 9, they let the public know that they had discovered, to their dismay, a data breach that had occurred on January 22. The silver lining? They were sure nobody was misusing any data. However, an ongoing investigation has given them a bit of a grim picture – patients’ names, addresses, social security numbers, and health insurance information were involved. Blimey!
Now here’s where it gets a bit juicy. On the very day they dropped that public notice, a group called BlackCat, fancy themselves as a right team of hackers, tagged Grace Lutheran to their dark web leak site. According to BlackCat’s own blog post, they had got their hands on 70 GB of data. And they claim that after weeks of back and forth chats, Grace Lutheran wouldn’t protect the data of employees and patients. This led to sharing the data with everyone and their dog.
But, as usual, there are two sides to every tale. The log provided to DataBreaches, does not show the foundation refusing to pay up. It showed them agreeing to pay, but asking for more time to come up with the cash. After that, talks just fell apart, and Grace Lutheran went a bit quiet.
DataBreaches were also given a sneak peek at the leaked data. Looks like it involves real and sensitive information about both employees and patients. Even worse, many files had patient names and dates as a part of the filename – a proper info breach nightmare if you ask me.
Now, the plot thickens further as DataBreaches dropped a line to Grace Lutheran on February 17. No reply yet, but they seem to have quietly spruced up their security incident notice a bit, stating they are working with their cybersecurity team to deal with the publication of the affected data and they will get in touch with anyone affected. Rather good manners, if you ask me.
Still, based on the info on its website, it looks like Grace Lutheran is technically a HIPAA-covered entity. But there’s no report listed on HHS at this time, perhaps it’s because they are still within that 60-day window to notify. The spokesperson from BlackCat said that they walked into Grace Lutheran’s systems like a walk in the park, using phishing and social engineering.
The question that remained unanswered by BlackCat though is whether they regret not taking the sum offered by Grace Lutheran during negotiation. DataBreaches asked the million-dollar question: Did they regret it? Well, they didn’t give a clear answer. They mentioned that the initial demand was $750,000. When Grace came back with $435,000, BlackCat thumped the table and asked for $100k more. But then things stalled, more time was asked for and Grace Lutheran went tight-lipped.
So, here we are. A cybersecurity rollercoaster filled with negotiations, claims and counterclaims. The only clear fact is that there are hard questions to be answered and significant learnings to consider from this episode. Time will tell how this shakes out, but one thing’s for sure, we all have to do better when it comes to data security in healthcare. Protecting patient information, after all, is not a mere ask – it’s a must!
by Parker Bytes