Dermatology Clinic Chain Attack Could Affect More Than 2 Million Customers
A ransomware strain named “Cuba” was allegedly involved in data breach of a dermatology clinic chain called Forefront Dermatology S.C. The dermatology practice located in Wisconsin has offices in 21 states.
With well over 2 million patients, employees and clinicians, the potential for damage is immense. DataBreaches.net, a breach-attack tracking blog reported that the group calling themselves “Cuba Ransomware” is responsible for the attack.
“Although not revealed in [Forefront’s] disclosure, the attack was the work of threat actors calling themselves ‘Cuba Ransomware.’ The threat actors dumped some of Forefront’s data at the end of June.”
The size of the data dump did not nearly reflect the gravity of the situation: being less than 50 MB, the dump included sensitive information related to the systems and network.
“The dump was only about 47 MB, but what it did include was more than 130 files with information on the entity’s system and network, with security and backup details, and all their logins to health insurance portals, etc.,” Databreaches.net wrote in their blog after having viewed the data on the ransomware group’s data leak site.
The leaked data also consisted of a file containing more than 100 sets of logins. “Sadly, there was what appeared to be a lot of weak passwords and extensive password reuse. More than 40 passwords had ‘Forefront’ in combination with some digit(s) and an exclamation point. Another 10 had some variant of DAWderm1!,” wrote DataBreach.net.
Forefront Dermatology also acknowledged the incident saying that as soon as the intrusion was detected on 4th of June, the network was promptly taken down in order to protect information and maintain security.
“On June 24, 2021, Forefront Dermatology, S.C. and its affiliated practices concluded its investigation of an intrusion into its IT network by unauthorized parties and determined that the incident resulted in unauthorized access to certain files on its IT systems that contain patient information,” said the dermatology practice in their breach notification.
Forefront’s network was compromised between May 28th and June 4th, as per the result of the investigation. Furthermore, unauthorized parties accessed information that “may have included patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, accession numbers, provider names, and/or medical and clinical treatment information.”
The organization refuses any leaks involving patients’ Social Security numbers, driver’s license numbers or payment card information.
Security firm Emsisoft’s threat analyst Brett Callow reported that group behind Cuba ransomware is “one of the less active groups,” but did not rule out the threat posed by the group in question. Profero security firm’s CEO Omri Segev Moyal also expressed his thoughts saying that the Cuba ransomware “utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information.” This means that the files need the threatactor’s private key to be decrypted.
Although Cuba ransomware might not be the most prominent ransomware, having been active since at least January 2020, its operators have DLS site used for posting exfiltrated data should the victim fail to pay the ransom.