@PogoWasRight @zackwhittaker @campuscodi @euroinfosec @DysruptionHub

I had never come across groups willing to redact sensitive data, nor had I ever seen a group offer to do so directly to its victim. As you point out, there is no certainty regarding FulcrumSec’s claims, but apparently there are no denials either.
If all of this were true, we would be dealing with an entity that was negligent both at the IT level and at the managerial level - and, above all, remarkably irrational.
I struggle to understand the logic behind their choices: they were willing to pay to prevent the data from being exposed, but not when it came to having it redacted? What kind of sense does that make?

@amvinfe @PogoWasRight @zackwhittaker @campuscodi @euroinfosec

That was a good read.

I’m guessing their lawyers probably told them that legally it was a HIPAA spill, regardless of the redaction efforts, and any cooperation could probably expose them to even more liability. So from their perspective, there was no benefit in cooperation, even if it might have been the moral choice.

@DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

Isn't there benefit in restoring patients' trust in you? I mean, right now, patients might say, "You refused to pay to get our data deleted, and then you wouldn't even redact it when you had the opportunity to!"

@siguza @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec

I think I would agree with you for breaches in the business and financial sectors (I remember reporting on one BoA breach and couldn't understand why all of their customers just didn't go find a more responsive bank), but I disagree when we are talking about the healthcare sector.

As the press release from the 2025 Bluesight Breach Barometer reported for U.S. health data breaches disclosed in 2024:

"Beyond operational and trust-related challenges, breaches also had significant financial consequences. Many healthcare organizations faced increased patient churn, as individuals sought alternative providers where available. Rising cyber insurance costs added another layer of strain, with some entities struggling to obtain coverage due to heightened risks. Additionally, hundreds of entities failed to disclose these breaches or notify patients promptly, leaving individuals exposed to prolonged risk and raising compliance concerns."

As a current example of consequences, the Florida Insurance Commissioner recently suspended Mirra Health's license after it outsourced patient data to overseas, unlicensed entities.

We also see some large settlements and corrective action plans as consequences of healthcare sector breaches.

So if your statement about businesses not experiencing consequences unless trade secrets are involved was also intended to include the healthcare sector, I think we just may disagree on that.