Blogger/journalist at databreaches.net and pogowasright.org. As a retired healthcare professional, breaches in the healthcare sector are my priority.
The header pic is Indy, a Siberian husky we rescued in 2016 after I read how nobody wanted her because she was so difficult. She is now living her best life and is a mushball with me.
| #DataBreaches | https://www.databreaches.net |
| #Privacy | https://www.pogowasright.org |
| Have a news tip? | Signal: Dissent.73 |
| [email protected] | |
| [email protected] | |
| Pronouns | She/Her |
It seems Vect has partnered with Hasan's BF clone (breached[.]st) and is making everyone registered for the forum an affiliate of vect ransomware. They also announced they are partnering with TeamPCP and plan to deploy ransomware across all victims of the Trivy/LiteLLM compromises.
The kids have big dreams, it seems.
How much will they actually follow through on? Place your bets...
@OutsideCasey Indy was "historically difficult." We just find her "hysterically difficult." š But yes, it's quite a journey with some of the dogs we have rescued over the years. People need to learn Indy's rules:
If you drop it in the den or the yard, it's mine.
If you leave it up on a counter anywhere, it's mine.
If it's mine, you can bribe me to give it back, but it will cost you a few treats.
If it's not mine now, it will be mine. Count on it. š
@siguza I think It's more expensive because data is more sensitive, immutable, and potentially harmful to patients.
I read daily news items on settlements in health sector breach cases, and yes, I see some expensive ones -- like the $65M settlement after BlackCat posted nude photos of Lehigh Valley Health Network cancer patients on the internet. I'm waiting to see what happens with a few current cases involving plastic surgeons whose nude photos of patients have been leaked on the internet after the surgeons wouldn't pay the ransom demands.
I also see enforcement actions by state attorneys general and the occasional HHS OCR enforcement action.
There has never been solid "churn" data, and I have no idea where Bluesight got that from, as I provided the statistical analyses for their report, and I did not give them any data on churn. Surveys on churn usually ask what patients would do in the event of a breach. There has been almost no research on what patients have actually done, though. Here is one of the rare actual studies that shows impact, but not necessarily churn: https://www.sciencedirect.com/science/article/abs/pii/S0167811625000047
Most of us have probably read that one reason not to pay threat actors is that they cannot be trusted to keep their word to delete data they have exfiltrated. But how often does that actually occur?
I have sent inquiries to a number of incident response/negotiation firms and the DOJ. If I did not send one to your firm and your firm handles a lot of negotiations and payments, please accept my apologies for not having contacted you, and answer the following question (either publicly or via a private message to me):
In what percentage of cases where payment was made to delete data, did threat actors break their word and not delete it?
Please feel free to share this post with others here and elsewhere to boost my chances of getting additional responses/estimates. Thank you all.
#incidentresponse #ransom #extortion #ransomware #databreach
@siguza @DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec
I think I would agree with you for breaches in the business and financial sectors (I remember reporting on one BoA breach and couldn't understand why all of their customers just didn't go find a more responsive bank), but I disagree when we are talking about the healthcare sector.
As the press release from the 2025 Bluesight Breach Barometer reported for U.S. health data breaches disclosed in 2024:
"Beyond operational and trust-related challenges, breaches also had significant financial consequences. Many healthcare organizations faced increased patient churn, as individuals sought alternative providers where available. Rising cyber insurance costs added another layer of strain, with some entities struggling to obtain coverage due to heightened risks. Additionally, hundreds of entities failed to disclose these breaches or notify patients promptly, leaving individuals exposed to prolonged risk and raising compliance concerns."
As a current example of consequences, the Florida Insurance Commissioner recently suspended Mirra Health's license after it outsourced patient data to overseas, unlicensed entities.
We also see some large settlements and corrective action plans as consequences of healthcare sector breaches.
So if your statement about businesses not experiencing consequences unless trade secrets are involved was also intended to include the healthcare sector, I think we just may disagree on that.
I blogged about this because I am really curious about how this plays out from the perspectives of patients, legal counsel for breached entities, HHS OCR, cyberinsurers, and juries if a case ever went to trial.
Is this a Hobson's Choice for them?
@DysruptionHub @amvinfe @zackwhittaker @campuscodi @euroinfosec
Isn't there benefit in restoring patients' trust in you? I mean, right now, patients might say, "You refused to pay to get our data deleted, and then you wouldn't even redact it when you had the opportunity to!"
@amvinfe @PogoWasRight @zackwhittaker @campuscodi @euroinfosec
That was a good read.
Iām guessing their lawyers probably told them that legally it was a HIPAA spill, regardless of the redaction efforts, and any cooperation could probably expose them to even more liability. So from their perspective, there was no benefit in cooperation, even if it might have been the moral choice.
What makes it crazier is that they were not asked to pay for redaction. They were asked to redact the data tranche themselves or have a proxy redact it and then the threat actors would leak the redacted data and not unredacted data.
So they were willing to pay to delete the data but not willing to redact the data before it gets leaked because they didn't pay.
I'm sure legal counsel for victims can come up with justifications for not agreeing to redact their patient data so that unredacted data isn't leaked, but I'm just scratching my head over this one and I wonder what plaintiffs' lawyers will do about this aspect in the litigation.
DysruptionHub