Data Exfiltration: Ransomware Operators Nab Health Records of 533,000 Patients


April 10, 2024

World map

Group Health Cooperative of South-Central Wisconsin (GHC-SCW), a non-profit healthcare service provider, disclosed that documents containing the private health information (PHI) of over 500,000 individuals were exfiltrated in a January ransomware attack.

"In the early morning hours of January 25th, 2024, GHC-SCW identified unauthorized access to their network. Their Information Technology (IT) Department purposefully isolated and secured their network, causing several of their systems to be temporarily unavailable," Bleeping Computer reports a spokesperson as stating.

"On February 9, 2024, during our investigation, we discovered indications that the attacker had copied some of GHC-SCW's data, which included protected health information (PHI). Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data."

The records include patient “names, addresses, telephone numbers, e-mail addresses, dates of birth and/or deaths, social security numbers, member numbers, and Medicare and/or Medicaid numbers.”  

The attackers attempted to encrypt GHC-SCW's network but were unsuccessful, allowing the victim to recover operations quickly, but they still have to contend with the data breach and potential legal and regulatory liability that will certainly follow.

Takeaway: Beyond the financial and operational impact from ransomware attacks, organizations should be concerned about the potential loss of sensitive data and intellectual property.  

Ransomware operators are more often threatening to publish or sell stolen data if the ransom is not paid. This can lead to regulatory fines, legal liabilities, and severe damage to the company's brand and customer trust.  

The number of class action lawsuits spurred by ransomware attacks that include data exfiltration has skyrocketed in the last two years, and liability risk is also specifically hitting the C-suite and Boards of Directors.  

Even if organizations are prepared to respond and recover from a ransomware attack, the fact that sensitive data was stolen or exposed puts them at additional liability risk.  

We see this most clearly in the evolution of the extortion tactics employed by ransomware actors. Originally, the malicious payloads would encrypt files and demand payment for decryption keys.

Security teams found success in either restoring from backups or accepting loss of data as an acceptable consequence. Of course, even if systems are restored without having paid the ransomware operators for a decryption key, there is no guarantee that payment will protect the stolen data from being exploited.

The ransomware payload does not enter the picture until late in the attack, so the key to not finding yourself in this situation is of course to detect the attack earlier in the sequence, long before the ransomware payload is delivered.

Organizations need to understand that today’s ransomware attacks involve a great deal more than just the delivery of malicious code that disrupts operations.

Data exfiltration is central to nearly every major ransomware operation, and the tactic has been so successful that some groups have abandoned the encryption aspect of attacks altogether to focus solely on stealing data and extorting the victim.  

Ransomware attacks often trigger legal and regulatory consequences. Depending on your industry and location, there may be data protection laws and regulations that require you to report data breaches promptly.  

Failure to do so can result in substantial fines and legal liabilities. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.