Dermatology Clinic Chain Breach Affects 2.4 MillionIncident Reportedly Involved 'Cuba' Ransomware
Forefront Dermatology S.C, a Wisconsin-based dermatology practice with affiliated offices in 21 states plus Washington, D.C., is notifying 2.4 million patients, employees and clinicians of a recent hacking incident. The incident apparently involved a ransomware strain known as "Cuba."
The incident is the third-largest breach added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far this year.
Apparent Ransomware Attack
Data breach tracking blog DataBreaches.net reports: "Although not revealed in [Forefront's] disclosure, the attack was the work of threat actors calling themselves 'Cuba Ransomware.' The threat actors dumped some of Forefront’s data at the end of June."
Databreaches.net says it viewed some of the data dump on the gang's darknet data leak site. "The dump was only about 47 MB, but what it did include was more than 130 files with information on the entity’s system and network, with security and backup details, and all their logins to health insurance portals, etc.," Databreaches.net says.
"Hopefully, Forefront has notified all of the insurers whose portals they use that their login credentials were compromised. A passwords file in the dump listed more than 100 sets of logins," Databreaches.net writes. "Sadly, there was what appeared to be a lot of weak passwords and extensive password reuse. More than 40 passwords had 'Forefront' in combination with some digit(s) and an exclamation point. Another 10 had some variant of DAWderm1!."
In a breach notification, Forefront Dermatology says that on June 24, the organization and its affiliated practices concluded an investigation "of an intrusion into its IT network by unauthorized parties and determined that the incident resulted in unauthorized access to certain files on its IT systems" containing patient, employee and provider information.
"The company first identified the intrusion on June 4, and immediately took its network offline to protect the information it maintains and secure its systems. In addition it promptly launched an investigation and notified law enforcement," Forefront says.
The investigation determined that unauthorized parties gained access to Forefront's IT network between May 28 and June 4, the notifications say.
Forefront Dermatology says potentially compromised information includes name, address, date of birth, patient account number, health insurance plan member ID number, medical record number, dates of service, provider names, and/or medical and clinical treatment information.
The organization says in the notification posted on its website that there is no evidence that patients' Social Security numbers, driver’s license numbers or financial account/payment card information were involved in this incident. But a separate breach notification provided to the Maine attorney general says some files may have contained Social Security numbers.
Forefront did not immediately respond to Information Security Media Group's request for additional details, including whether the incident involved ransomware.
Less Active Group
The gang behind the Cuba ransomware variant is "one of the less active groups," says Brett Callow, a threat analyst at security firm Emsisoft. "That’s not to say they’re not a threat - simply that organizations are far more likely to be hit by other groups."
In a May 5 blog, security researcher Omri Segev Moyal, CEO of security firm Profero, noted that Cuba ransomware "utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result … files could not be decrypted without the threat actor’s private RSA key."
Moyal tells ISMG: "Cuba ransomware were quite off the radar for some time. But lately as our report suggest 'they are on a roll.'"
Researchers at security firm Group-IB reported in May that attackers co-opted the Hancitor malware downloader and used it recently to deliver Cuba ransomware as part of an email spam campaign for data exfiltration and ransom extortion (see: Malspam Campaign Used Hancitor to Download Cuba Ransomware).
Cuba ransomware has been active since at least January 2020, Group-IB researchers say. "Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom."
As of April 28, the Cuba darknet data leak site mentioned nine companies - primarily from the aviation, financial, education and manufacturing industries - as victims, Group-IB reports.