Health Data of 533,000 Individuals Stolen by GHC-SCW Ransomware Gang


Group Health Cooperative of South Central Wisconsin (GHC-SCW), a non-profit healthcare service provider, has disclosed a significant ransomware attack that occurred in January 2024, resulting in the theft of personal and medical information belonging to more than 500,000 individuals.

The attack, attributed to an undisclosed ransomware gang later claimed by the BlackSuit group, was identified by GHC-SCW on January 25, 2024. The organization's Information Technology (IT) Department promptly isolated and secured the network, preventing the encryption of compromised devices. External cyber incident response experts assisted in restoring systems, which were temporarily offline during containment efforts.

During the investigation, GHC-SCW confirmed that the attackers had accessed and copied data, including protected health information (PHI), comprising names, addresses, phone numbers, email addresses, dates of birth and/or deaths, social security numbers, member numbers, and Medicare and/or Medicaid numbers. The breach affected 533,809 individuals, according to information submitted to the U.S. Department of Health and Human Services.

In response to the breach, GHC-SCW has implemented additional security measures to enhance controls, data backup procedures, and user training to prevent future incidents.

Impacted individuals are advised to monitor communications from healthcare providers, including electronic messages and billing statements, and to promptly report any suspicious activity to GHC-SCW.

While GHC-SCW did not initially disclose the name of the ransomware gang responsible, BlackSuit later claimed responsibility for the attack, asserting that stolen files also included financial information, employee data, business contracts, and email correspondence.

BlackSuit, previously associated with the Royal ransomware gang, has been linked to numerous ransomware operations worldwide, with significant ransom demands exceeding $275 million, according to a joint advisory by the FBI and CISA in November. The group's dark web leak site, updated regularly with new victims, reflects ongoing cybercrime activity with evolving tactics and targets.

The investigation into the breach is ongoing, with GHC-SCW monitoring for any potential misuse of stolen information.