Cyber Incident Victim: Forefront Dermatology
Date:
May 2021
Location:
United States of America
Summary
Forefront Dermatology experienced a ransomware attack by the Cuba Ransomware group, resulting in unauthorized access to patient and employee files containing names, addresses, dates of birth, medical record numbers, insurance details, and clinical treatment information, though Social Security numbers and financial data were not compromised. The attackers exfiltrated system and network data, including over 100 sets of login credentials with weak password practices, and leaked a portion of the data online. The organization took systems offline to contain the breach, notified potentially affected individuals despite inconclusive forensic findings, and established a call center for inquiries. The incident led to a class action lawsuit settlement, while conflicting reports emerged regarding the scale of impacted individuals, ranging from thousands to millions of patients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Forefront Dermatology, a Wisconsin-based healthcare provider, experienced a ransomware attack beginning on or around May 28, 2021. The organization detected unauthorized system access on June 4, 2021, prompting immediate containment measures that included taking affected systems offline to limit further compromise. Subsequent forensic investigations confirmed unauthorized actors had accessed patient and employee files during the period between May 28 and June 4. The compromised patient data included names, addresses, dates of birth, account numbers, health insurance member IDs, medical record numbers, dates of service, accession numbers, provider names, and clinical treatment information. Notably, Social Security numbers, driver’s license numbers, and financial account details were not confirmed as exposed. Due to the inability to definitively identify all affected individuals, Forefront initiated broad notifications to patients and employees whose information might have been accessed.
The incident was attributed to the Cuba Ransomware group, which exfiltrated and subsequently leaked approximately 47 MB of data in late June 2021. The leaked files contained network security details, backup configurations, and over 100 sets of login credentials for health insurance portals, many exhibiting weak password practices such as predictable patterns and reuse. Forefront established a dedicated toll-free call center and published an online notice to address inquiries but did not publicly disclose whether a ransom was paid or negotiations occurred. The breach was reported to the U.S. Department of Health and Human Services as impacting 2,413,553 individuals, significantly higher than initial state-level disclosures. In November 2022, Forefront settled a class action lawsuit related to the incident for $3.75 million. Operational disruptions coincided with reported preparations by owner OMERS to sell the company, though no direct correlation between the breach and potential sale terms was confirmed.