Mastodawn

Also NEW by me:

"If threat actors gave you a chance to redact the patient data they hacked before they leak it, would you take them up on the offer? Read about the Woundtech incident."

I've never encountered any threat actors spending so much time redacting patient data before they leak it -- and even giving their victim the opportunity to redact the hacked data tranche before the threat actors leak it.

Read more about this one at:

https://databreaches.net/2026/03/23/if-threat-actors-gave-you-a-chance-to-redact-the-patient-data-they-hacked-before-they-leak-it-would-you-take-them-up-on-the-offer-read-about-the-woundtech-incident/

#databreach #healthsec #woundtech #cybersecurity #redaction #incidentresponse #FulcrumSec

@zackwhittaker @campuscodi @euroinfosec @DysruptionHub @amvinfe

Show thread

amvinfe 5d ago

@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @DysruptionHub

I had never come across groups willing to redact sensitive data, nor had I ever seen a group offer to do so directly to its victim. As you point out, there is no certainty regarding FulcrumSec’s claims, but apparently there are no denials either.
If all of this were true, we would be dealing with an entity that was negligent both at the IT level and at the managerial level - and, above all, remarkably irrational.
I struggle to understand the logic behind their choices: they were willing to pay to prevent the data from being exposed, but not when it came to having it redacted? What kind of sense does that make?

Show thread

DysruptionHub 4d ago

@amvinfe @PogoWasRight @zackwhittaker @campuscodi @euroinfosec

That was a good read.

I’m guessing their lawyers probably told them that legally it was a HIPAA spill, regardless of the redaction efforts, and any cooperation could probably expose them to even more liability. So from their perspective, there was no benefit in cooperation, even if it might have been the moral choice.

Show thread

Dissent Doe

4d ago

@DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

Isn't there benefit in restoring patients' trust in you? I mean, right now, patients might say, "You refused to pay to get our data deleted, and then you wouldn't even redact it when you had the opportunity to!"

Show thread

Siguza

@PogoWasRight @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec I would expect that the vast majority of patients never even hear of this to begin with, and of those that do, only a fraction would care. Data breaches really only have consequences for businesses if their trade secrets are involved.

Show thread

amvinfe 4d ago

@siguza

I disagree. The idea that “most patients won’t know” or “won’t care” is quite reductive and, frankly, dangerous.

A healthcare data breach is not comparable to a leaked email or password: we’re talking about medical records, health information, SSNs/tax IDs, and insurance data. This is extremely sensitive information that can have concrete and long-lasting consequences on people’s lives, both personally and financially.

Even assuming that some patients may not become immediately aware of the breach, this in no way reduces the seriousness of what happened or the company’s responsibility. The potential harm still exists: identity theft, insurance fraud, discrimination, blackmail.

Moreover, saying that breaches “only matter if trade secrets are involved” completely ignores the fact that personal data — especially health data — has enormous value precisely because it concerns real individuals, not companies. That is exactly why it is protected by very strict regulations.

Finally, I believe anyone would change their perspective if they were on the other side: if it were their own medical records ending up online, they would hardly remain indifferent.

@PogoWasRight @DysruptionHub @zackwhittaker @campuscodi @euroinfosec

Show thread

Siguza 4d ago

@amvinfe @PogoWasRight @DysruptionHub @zackwhittaker @campuscodi @euroinfosec

Don't twist my words! I never said breaches "don't matter", I said they have no consequences for businesses.

I also think you're dangerously naive. When have you ever seen significant action from customers/users as a result of a data breach? The problem is that people only care once they are immediately affected. And then it's too late, and all too often way too far removed from the party responsible for the data breach. If they get blackmailed or have their identity stolen, they're mad at the people doing that, and not at the business who leaked their data that enabled the data theft or blackmailing.

I remember CreditSuisse and the financial crisis in 2008. Before the Swiss National Bank stepped in, Swiss customers of CreditSuisse were looking at the possibility of immediate and complete financial ruin as a consequence of the bank's actions. I'm being told that they lost just under third of their customers in the fallout of that. But it should have been 100%!! Are you fucking kidding me?! More than two thirds of people kept their assets at the bank that almost lost absolutely everything?!

This is a level of inertness that is unfathomable to me, and it scares me. But it is entirely real, and pretending that it isn't would just be delusional.

Show thread

Dissent Doe

4d ago

@siguza @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

I think I would agree with you for breaches in the business and financial sectors (I remember reporting on one BoA breach and couldn't understand why all of their customers just didn't go find a more responsive bank), but I disagree when we are talking about the healthcare sector.

As the press release from the 2025 Bluesight Breach Barometer reported for U.S. health data breaches disclosed in 2024:

"Beyond operational and trust-related challenges, breaches also had significant financial consequences. Many healthcare organizations faced increased patient churn, as individuals sought alternative providers where available. Rising cyber insurance costs added another layer of strain, with some entities struggling to obtain coverage due to heightened risks. Additionally, hundreds of entities failed to disclose these breaches or notify patients promptly, leaving individuals exposed to prolonged risk and raising compliance concerns."

As a current example of consequences, the Florida Insurance Commissioner recently suspended Mirra Health's license after it outsourced patient data to overseas, unlicensed entities.

We also see some large settlements and corrective action plans as consequences of healthcare sector breaches.

So if your statement about businesses not experiencing consequences unless trade secrets are involved was also intended to include the healthcare sector, I think we just may disagree on that.

Show thread

Siguza 4d ago

@PogoWasRight okay, so I see from the IBM report that breaches are significantly more expensive for businesses in the healthcare sector than in others... do we have actual data on why that is? I only see from their "industry demographics" graph that "healthcare" made up 1% of the 604 organisations studied, so... 6 companies?

I've also looked at the Bluesight press release, but the quote "Many healthcare organizations faced increased patient churn" appears to be based on the full report saying "Patient Churn: Breaches can lead to increased patient turnover, with some individuals switching to alternative providers where available. This exacerbated challenges to patient loyalty and retention for already-burdened healthcare institutions" which is worded much less... definitively. I'd love to see more data on this. If that's 75%, then your business is done indeed. But if it's 10%, then you just fire your remaining security staff and YOLO it, since the remainder of your customer base appears to not give a shit anyway.

Hearing about a license suspension is nice though, and is more than I expected. But that is very definitely thanks to regulations, rather than "market pressure" or whatever you wanna call it.

Show thread

Dissent Doe

3d ago

@siguza I think It's more expensive because data is more sensitive, immutable, and potentially harmful to patients.

I read daily news items on settlements in health sector breach cases, and yes, I see some expensive ones -- like the $65M settlement after BlackCat posted nude photos of Lehigh Valley Health Network cancer patients on the internet. I'm waiting to see what happens with a few current cases involving plastic surgeons whose nude photos of patients have been leaked on the internet after the surgeons wouldn't pay the ransom demands.

I also see enforcement actions by state attorneys general and the occasional HHS OCR enforcement action.

There has never been solid "churn" data, and I have no idea where Bluesight got that from, as I provided the statistical analyses for their report, and I did not give them any data on churn. Surveys on churn usually ask what patients would do in the event of a breach. There has been almost no research on what patients have actually done, though. Here is one of the rare actual studies that shows impact, but not necessarily churn: https://www.sciencedirect.com/science/article/abs/pii/S0167811625000047