Cyber Incident Victim: Aviacode
Date:
Jan 2023
Location:
United States of America
Summary
Aviacode, a medical coding services provider under GeBBS Healthcare Solutions, experienced a significant cybersecurity incident involving the ransomware group 0mega, which exfiltrated and publicly released approximately 200 GB of sensitive data. The breach exposed extensive employee and contractor information, including Social Security numbers, dates of birth, payroll records, tax documents (W-2s and 1099s), background checks, and credentials—with some files revealing reused default passwords. Despite 0mega’s claims of encrypting systems and compromising administrative access, the victim organization did not engage in negotiations or publicly acknowledge the attack. No protected health information was confirmed in the leaked data, but the incident likely triggered obligations to notify affected individuals and regulators under state breach laws due to the exposure of personal identifiers. The attackers criticized Aviacode’s response as inadequate, alleging internal mismanagement and a lack of technical competence during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 1, 2023, the ransomware group 0mega compromised systems belonging to Aviacode, a medical coding and healthcare revenue cycle management subsidiary of GeBBS Healthcare Solutions. 0mega claimed to have locked Aviacode’s network, exfiltrating approximately 200 GB of data. The attackers stated Aviacode failed to engage in negotiations or acknowledge communications following the intrusion. 0mega’s spokesperson alleged they monitored Aviacode’s internal activities, including a management meeting held to discuss the breach, and observed administrative incompetence in incident response efforts. They further claimed Aviacode lost access to critical infrastructure including mail servers, backups, and network management systems.
Aviacode was listed on 0mega’s leak site by January 9, 2023. On February 11, 0mega publicly released the stolen data, which included sensitive employee and contractor information spanning multiple years. Exposed records contained W-2 forms, 1099 tax documents, payroll details, termination records with background checks, hire dates, credentials, and in some instances, passwords. A recurring password (“Simple2871!”) was identified across multiple user accounts. No comprehensive patient databases were confirmed in initial reviews, though employee data included Social Security numbers, dates of birth, and addresses. Aviacode and GeBBS did not respond to 0mega or external inquiries about the breach, with only nonresponsive marketing communications issued to media. As of February 20, 2023, no breach notifications had been filed with state regulators, the U.S. Department of Health and Human Services, or affected individuals, despite potential obligations under HIPAA and state laws. The incident exposed systemic vulnerabilities in Aviacode’s security practices, including inadequate credential management and delayed incident response.