Cyber Incident Victim: Eduro Healthcare
Date:
Mar 2021
Location:
United States of America
Summary
Eduro Healthcare, a Utah-based provider of transitional care and rehabilitation services, experienced a cybersecurity incident involving the Astro Team threat actors, who exfiltrated approximately 40 GB of data including protected health information such as patient names, insurance details, diagnoses, treatment codes, financial statements, Medicaid audits, and billing records. The attackers, linked to Mount Locker ransomware, publicly released the stolen data after the organization allegedly failed to meet ransom demands, with compromised files potentially originating from legacy systems following an earlier acquisition. Despite evidence of sensitive data exposure spanning multiple years, the company did not publicly acknowledge the incident, respond to inquiries, or report the breach to regulatory authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2021, Eduro Healthcare, a Utah-based provider of transitional care, skilled nursing, and assisted living services, experienced a significant cybersecurity incident involving the Astro Team threat actor group. On April 7, 2021, Astro Team listed Eduro on their dedicated leak site, claiming to have stolen 40 GB of data. The group publicly released the entirety of the exfiltrated data on April 23, 2021, following an apparent failure by Eduro to meet unspecified ransom demands. While it remains unconfirmed whether Eduro’s systems were encrypted during the attack, Astro Team’s known association with Mount Locker ransomware suggests encryption may have occurred. Evidence indicates the data theft likely occurred on or around March 5, 2021, though this date is not definitively established. The compromised information primarily consisted of historical patient and operational records dating from 2015 to 2018, including files related to Rio at Cabezon, a facility Eduro acquired in May 2018. DataBreaches.net’s investigation revealed no public breach notifications from Eduro through official channels, including their website, Facebook page, or the U.S. Department of Health and Human Services’ breach portal, as of the article’s publication date on May 18, 2021.
The exfiltrated data contained extensive sensitive information, including Explanation of Benefits (EOB) documents from health insurers, which typically include patient names, health insurance details, dates of birth, diagnoses, treatment codes, service dates, and financial amounts. Additional compromised materials included patient-specific financial statements organized by insurance carrier, Medicaid audits, billing records, past-due account letters, and collection attempts. One folder alone contained over 8,000 scanned files related to patient accounts, services, and billing. The age of the data raised questions about whether the breach involved legacy systems from Rio at Cabezon, though Eduro did not respond to inquiries about this possibility. The absence of confirmed patient notifications or regulatory filings left the scope of affected individuals undetermined, though the presence of insurer-specific records and Medicaid audits indicated potential exposure of protected health information across multiple payers. No functional contact method for Eduro yielded responses to media inquiries regarding incident discovery timelines or containment efforts.