Dissent Doe  5d ago

Also NEW by me:

"If threat actors gave you a chance to redact the patient data they hacked before they leak it, would you take them up on the offer? Read about the Woundtech incident."

I've never encountered any threat actors spending so much time redacting patient data before they leak it -- and even giving their victim the opportunity to redact the hacked data tranche before the threat actors leak it.

Read more about this one at:

https://databreaches.net/2026/03/23/if-threat-actors-gave-you-a-chance-to-redact-the-patient-data-they-hacked-before-they-leak-it-would-you-take-them-up-on-the-offer-read-about-the-woundtech-incident/

#databreach #healthsec #woundtech #cybersecurity #redaction #incidentresponse #FulcrumSec

@zackwhittaker @campuscodi @euroinfosec @DysruptionHub @amvinfe

Show threadamvinfe5d ago

@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @DysruptionHub

I had never come across groups willing to redact sensitive data, nor had I ever seen a group offer to do so directly to its victim. As you point out, there is no certainty regarding FulcrumSec’s claims, but apparently there are no denials either.
If all of this were true, we would be dealing with an entity that was negligent both at the IT level and at the managerial level - and, above all, remarkably irrational.
I struggle to understand the logic behind their choices: they were willing to pay to prevent the data from being exposed, but not when it came to having it redacted? What kind of sense does that make?

Show threadDysruptionHub4d ago

@amvinfe @PogoWasRight @zackwhittaker @campuscodi @euroinfosec

That was a good read.

I’m guessing their lawyers probably told them that legally it was a HIPAA spill, regardless of the redaction efforts, and any cooperation could probably expose them to even more liability. So from their perspective, there was no benefit in cooperation, even if it might have been the moral choice.

Show threadDissent Doe  4d ago

@DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

Isn't there benefit in restoring patients' trust in you? I mean, right now, patients might say, "You refused to pay to get our data deleted, and then you wouldn't even redact it when you had the opportunity to!"

Show threadSiguza4d ago
@PogoWasRight @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec I would expect that the vast majority of patients never even hear of this to begin with, and of those that do, only a fraction would care. Data breaches really only have consequences for businesses if their trade secrets are involved.
Show threadDissent Doe  

@siguza @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

I think I would agree with you for breaches in the business and financial sectors (I remember reporting on one BoA breach and couldn't understand why all of their customers just didn't go find a more responsive bank), but I disagree when we are talking about the healthcare sector.

As the press release from the 2025 Bluesight Breach Barometer reported for U.S. health data breaches disclosed in 2024:

"Beyond operational and trust-related challenges, breaches also had significant financial consequences. Many healthcare organizations faced increased patient churn, as individuals sought alternative providers where available. Rising cyber insurance costs added another layer of strain, with some entities struggling to obtain coverage due to heightened risks. Additionally, hundreds of entities failed to disclose these breaches or notify patients promptly, leaving individuals exposed to prolonged risk and raising compliance concerns."

As a current example of consequences, the Florida Insurance Commissioner recently suspended Mirra Health's license after it outsourced patient data to overseas, unlicensed entities.

We also see some large settlements and corrective action plans as consequences of healthcare sector breaches.

So if your statement about businesses not experiencing consequences unless trade secrets are involved was also intended to include the healthcare sector, I think we just may disagree on that.

Mar 25 at 2:47amWeb
Show threadSiguza4d ago

@PogoWasRight okay, so I see from the IBM report that breaches are significantly more expensive for businesses in the healthcare sector than in others... do we have actual data on why that is? I only see from their "industry demographics" graph that "healthcare" made up 1% of the 604 organisations studied, so... 6 companies?

I've also looked at the Bluesight press release, but the quote "Many healthcare organizations faced increased patient churn" appears to be based on the full report saying "Patient Churn: Breaches can lead to increased patient turnover, with some individuals switching to alternative providers where available. This exacerbated challenges to patient loyalty and retention for already-burdened healthcare institutions" which is worded much less... definitively. I'd love to see more data on this. If that's 75%, then your business is done indeed. But if it's 10%, then you just fire your remaining security staff and YOLO it, since the remainder of your customer base appears to not give a shit anyway.

Hearing about a license suspension is nice though, and is more than I expected. But that is very definitely thanks to regulations, rather than "market pressure" or whatever you wanna call it.

Show threadDissent Doe  3d ago

@siguza I think It's more expensive because data is more sensitive, immutable, and potentially harmful to patients.

I read daily news items on settlements in health sector breach cases, and yes, I see some expensive ones -- like the $65M settlement after BlackCat posted nude photos of Lehigh Valley Health Network cancer patients on the internet. I'm waiting to see what happens with a few current cases involving plastic surgeons whose nude photos of patients have been leaked on the internet after the surgeons wouldn't pay the ransom demands.

I also see enforcement actions by state attorneys general and the occasional HHS OCR enforcement action.

There has never been solid "churn" data, and I have no idea where Bluesight got that from, as I provided the statistical analyses for their report, and I did not give them any data on churn. Surveys on churn usually ask what patients would do in the event of a breach. There has been almost no research on what patients have actually done, though. Here is one of the rare actual studies that shows impact, but not necessarily churn: https://www.sciencedirect.com/science/article/abs/pii/S0167811625000047