Equinox, a health and human services organization based in New York, has started notifying over 21,000 clients and staff members about a data breach involving the theft of personal, health, and financial information. The breach, which occurred nearly seven months ago, has been linked to the LockBit 3.0 ransomware group, despite the group's supposed shutdown earlier in the year.
Equinox, which provides vital mental health, addiction services, domestic violence support, and other community services in the capital region of New York, has ten locations and serves around 3,500 people annually. The organization began mailing notification letters to 21,565 affected individuals, informing them that cybercriminals had accessed files containing sensitive information, including names, addresses, Social Security numbers, financial details, health records, and medical information.
The breach, which took place on April 29, disrupted Equinox’s network access. The organization says it immediately secured its IT systems, enlisted a cybersecurity firm, and initiated an investigation. By September 16, Equinox confirmed that some of the compromised files contained protected health information (PHI), prompting the breach notifications.
The LockBit 3.0 ransomware gang, which is notorious for data theft and extortion, had initially listed Equinox on its data leak site on May 18, claiming to have stolen 49GB of data. The group later updated the listing on August 11, threatening to leak 31.8GB of files after the organization failed to meet its demands. This breach occurred after LockBit had been publicly disrupted in February, highlighting the persistent nature of ransomware groups despite law enforcement actions.
As of August, LockBit 3.0 remains one of the most active and prolific ransomware gangs, continuing to target a wide range of organizations worldwide. The breach at Equinox, which involves sensitive personal and health data, may result in lawsuits and further scrutiny of the organization's cybersecurity practices.
