Mastodawn

Also NEW by me:

"If threat actors gave you a chance to redact the patient data they hacked before they leak it, would you take them up on the offer? Read about the Woundtech incident."

I've never encountered any threat actors spending so much time redacting patient data before they leak it -- and even giving their victim the opportunity to redact the hacked data tranche before the threat actors leak it.

Read more about this one at:

https://databreaches.net/2026/03/23/if-threat-actors-gave-you-a-chance-to-redact-the-patient-data-they-hacked-before-they-leak-it-would-you-take-them-up-on-the-offer-read-about-the-woundtech-incident/

#databreach #healthsec #woundtech #cybersecurity #redaction #incidentresponse #FulcrumSec

@zackwhittaker @campuscodi @euroinfosec @DysruptionHub @amvinfe

Show thread

amvinfe 5d ago

@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @DysruptionHub

I had never come across groups willing to redact sensitive data, nor had I ever seen a group offer to do so directly to its victim. As you point out, there is no certainty regarding FulcrumSec’s claims, but apparently there are no denials either.
If all of this were true, we would be dealing with an entity that was negligent both at the IT level and at the managerial level - and, above all, remarkably irrational.
I struggle to understand the logic behind their choices: they were willing to pay to prevent the data from being exposed, but not when it came to having it redacted? What kind of sense does that make?

Show thread

DysruptionHub 4d ago

@amvinfe @PogoWasRight @zackwhittaker @campuscodi @euroinfosec

That was a good read.

I’m guessing their lawyers probably told them that legally it was a HIPAA spill, regardless of the redaction efforts, and any cooperation could probably expose them to even more liability. So from their perspective, there was no benefit in cooperation, even if it might have been the moral choice.

Show thread

Dissent Doe

4d ago

@DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

Isn't there benefit in restoring patients' trust in you? I mean, right now, patients might say, "You refused to pay to get our data deleted, and then you wouldn't even redact it when you had the opportunity to!"

Show thread

Siguza 4d ago

@PogoWasRight @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec I would expect that the vast majority of patients never even hear of this to begin with, and of those that do, only a fraction would care. Data breaches really only have consequences for businesses if their trade secrets are involved.

Show thread

amvinfe 4d ago

@siguza

I disagree. The idea that “most patients won’t know” or “won’t care” is quite reductive and, frankly, dangerous.

A healthcare data breach is not comparable to a leaked email or password: we’re talking about medical records, health information, SSNs/tax IDs, and insurance data. This is extremely sensitive information that can have concrete and long-lasting consequences on people’s lives, both personally and financially.

Even assuming that some patients may not become immediately aware of the breach, this in no way reduces the seriousness of what happened or the company’s responsibility. The potential harm still exists: identity theft, insurance fraud, discrimination, blackmail.

Moreover, saying that breaches “only matter if trade secrets are involved” completely ignores the fact that personal data — especially health data — has enormous value precisely because it concerns real individuals, not companies. That is exactly why it is protected by very strict regulations.

Finally, I believe anyone would change their perspective if they were on the other side: if it were their own medical records ending up online, they would hardly remain indifferent.

@PogoWasRight @DysruptionHub @zackwhittaker @campuscodi @euroinfosec

Show thread

Siguza

@amvinfe @PogoWasRight @DysruptionHub @zackwhittaker @campuscodi @euroinfosec

Don't twist my words! I never said breaches "don't matter", I said they have no consequences for businesses.

I also think you're dangerously naive. When have you ever seen significant action from customers/users as a result of a data breach? The problem is that people only care once they are immediately affected. And then it's too late, and all too often way too far removed from the party responsible for the data breach. If they get blackmailed or have their identity stolen, they're mad at the people doing that, and not at the business who leaked their data that enabled the data theft or blackmailing.

I remember CreditSuisse and the financial crisis in 2008. Before the Swiss National Bank stepped in, Swiss customers of CreditSuisse were looking at the possibility of immediate and complete financial ruin as a consequence of the bank's actions. I'm being told that they lost just under third of their customers in the fallout of that. But it should have been 100%!! Are you fucking kidding me?! More than two thirds of people kept their assets at the bank that almost lost absolutely everything?!

This is a level of inertness that is unfathomable to me, and it scares me. But it is entirely real, and pretending that it isn't would just be delusional.