Ransomware Attack on Software Vendor Affects 954,177 Individuals
A massive data breach has been reported by an Atlanta-based software vendor that involved the health insurance information of at least 954,177 individuals. Young Consulting provides software solutions for the marketing, underwriting, and administering of medical stop loss insurance for carriers, brokers, and third-party administrators. Medical stop loss insurance protects companies against unexpected losses and is also known as excess insurance.
Young Consulting recently notified the Maine Attorney General about the data breach and confirmed it was providing notice to 954,177 individuals on behalf of Blue Shield of California and other (unnamed) covered entities. The notification states that the information compromised in the incident includes names, birthdates, Social Security numbers, insurance policy information, and claims information.
A security breach was detected on April 13, 2024, when technical difficulties were experienced within its computer environment. The forensic investigation that followed confirmed there had been unauthorized access to its computer systems from April 10, 2024, through April 13, 2024, and files had been exfiltrated from its network. The affected covered entities were notified about the attack on June 28, 2024. Young Consulting then worked on obtaining up-to-date contact information to allow individual notification letters to be sent.
The incident is not yet shown on the HHSโ Office for Civil Rights (OCR) breach portal. OCR has previously explained that there may be a delay of up to two weeks for breach reports to be added to the breach portal while the information reported is checked. Individual notification letters started to be mailed on Monday and the affected individuals have been offered complimentary credit monitoring services.
When data breaches occur at vendors (business associates), the affected covered entities are ultimately responsible for ensuring the data breach is reported to regulators and that individual notification letters are mailed. Many covered entities delegate responsibility for notifications to the business associate who experienced the breach. Some breaches at business associates involve notifications being mailed by the business associate, others by the affected covered entities. In some cases, notifications are sent by the business associate on behalf of some clients while other clients choose to send their own notifications. It is currently unclear if the 954,177 notifications being mailed by Young Consulting are for all affected individuals or on behalf of some of the affected clients.
Apart from the dates of unauthorized access, the โtechnical difficultiesโ, and confirmation that data was stolen, little information has been released about the nature of the attack; however, a threat group well known for conducting ransomware attacks on healthcare organizations and their business associates claimed responsibility for the attack and added Young Consulting to its dark web date leak site on May 7, 2024. That group is BlackSuit, formerly Royal ransomware.
BlackSuit engages in double extortion, where files are exfiltrated from the victimโs network before ransomware is used to encrypt files. Payment is required to obtain the keys to decrypt data and to prevent the release of the stolen data. According to BlackSuit, top management at Young Consulting refused to negotiate payment and the stolen data was listed on the groupโs data leak site, where it remains. The group claims to have stolen employee data, business documents, financial information, and other data stored on shared network drives.
BlackSuit poses a significant threat to the healthcare sector and this is unlikely to be the last attack on a HIPAA-regulated entity. ย The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently shared mitigations to help network defenders improve their defenses against BlackSuit attacks and Indicators of Compromise to help them detect attacks in progress. The CISA BlackSuit (Royal) cybersecurity advisory can be found here.
