Cyber Incident Victim: Unique Imaging

On or around April 5, 2023, the Trigona ransomware group publicly claimed a cybersecurity incident involving Unique Imaging, Inc., a medical imaging company with locations in Aventura, Biscayne, Miami, and Dadeland, Florida. The group listed the company on its newly created dark web data leak site. The listing included a countdown timer showing 76 days remaining, suggesting an impending auction of the stolen data. This public claim was the first external indication of a significant security breach. The Trigona group asserted they had maintained persistent access to Unique Imaging's internal network for approximately six months prior to this announcement, a claim partially supported by data samples containing timestamps from December of the previous year.

The initial ransom demand and the exact date of the initial network compromise were not disclosed by the threat actors. However, according to Trigona, they made direct contact with the victim organization on February 27, 2023. The group's spokesperson reported having a telephone conversation with Unique Imaging's Chief Executive Officer. During this call, the CEO allegedly instructed them to contact her lawyer but later requested the information be sent via email. Subsequent attempts by the threat actors to make contact by phone were reportedly met with the call being hung up. Despite these alleged communications, Unique Imaging did not publicly acknowledge any security incident at this time and its corporate website showed no signs of disruption.

Following the public listing, an independent security news site, DataBreaches, began an investigation. On April 18, 2023, an email was sent to Unique Imaging inquiring about the ransomware group's claims. The company did not respond to this initial inquiry. The Trigona group, however, did engage with the investigating outlet. They provided additional evidence to support their claims of access and data exfiltration. This evidence included a small sample of the stolen data, which consisted of hundreds of scanned PDF files. These files contained protected health information (PHI) such as patient prescriptions, clinical results, health insurance cards, images of driver's licenses, and purchase orders.

Crucially, the threat actors provided screen captures as proof they had gained access to the company's Radiology Information System (RIS), specifically identified as Power Reader RIS. This system is an electronic health record platform designed for radiology practices, containing highly sensitive patient data. The ability to access this system indicated a deep level of network penetration, potentially exposing a vast quantity of protected health information. The screen captures were published on Trigona's leak site, with patient information redacted by the news outlet that reviewed them.

Based on this additional proof, a second email was sent to Unique Imaging on May 1, 2023. This communication was also sent to Christopher Woodhouse, M.D., the Medical Director for the company. The email detailed Trigona's claim of continued network access and included some of the specific proof the group had provided. The message also asked the company to confirm or deny the claims. Once again, no reply was received from Unique Imaging. As of the time of reporting, no public disclosure, notification to patients, or filing with regulators regarding a data breach could be found.

To substantiate their claim of ongoing network access, the Trigona group created a user account for the investigating journalist on Unique Imaging's compromised network. They provided a log of this account creation and an invitation to access it. This action was taken to demonstrate their persistent control over the environment. The news outlet did not access the account but instead forwarded the access information to Unique Imaging to alert them to the specific claim. The threat actors stated, "We are still using them for our own purposes and are still downloading the data of interest." When questioned about these purposes, Trigona elaborated that they used the compromised network to send infected emails to the company's customers and partners. They also noted that other groups use such stolen data for activities like taking out and cashing small loans, indicating multiple potential avenues for monetization.

The Trigona ransomware group operates using a double-extortion model. This involves both encrypting files on a victim's network to lock them and exfiltrating data to pressure the victim into paying a ransom. The payment is demanded in exchange for a decryptor key and a promise to delete the stolen data. The group confirmed they use the ChaCha20 stream cipher and Elliptic Curve Cryptography (ECC) for encryption. Their ransom notes include victim-specific links to a communication chat system. As part of their process, they allow victims to provide three files to test the decryptor's functionality before any payment is made. They prefer to receive ransom payments in Monero, a privacy-focused cryptocurrency.

The group's leak site presents victim data in a format that mimics an auction, with listed minimum deposits, opening bids, and a "blitz" price. However, this auction is not real. Small text further down the page for Unique Imaging clarifies that the public-facing site is merely an informational blog and that actual data sales are conducted through private access provided to their partners. The group noted they were in a process of transitioning to a more public leaking strategy, referred to as "glasnost format," having previously preferred to sell data exclusively in a closed format.

Trigona described itself as a closed group without affiliates and stated it was not represented on any thematic cybercrime forums. They claimed to have been operating privately since the beginning of 2022, with their public emergence occurring in June of that year. They asserted their number of attacks in 2023 was significantly higher than public estimates of 190. The group stated they primarily target organizations in Tier-1 countries and generally avoid state-owned enterprises and companies of strategic importance, though they do not have outright bans on specific countries or industries. The attack on Unique Imaging, and another medical facility in Australia, demonstrates their willingness to target healthcare entities. They declined to comment on potential relationships with other ransomware groups like AlphV or explain why some of their early listings had appeared on the AlphV leak site.

The impact of the incident on Unique Imaging's operations was not detailed in the available information. There was no indication from the company's public-facing website that internal systems were encrypted or otherwise disrupted. The primary impact, based on the evidence provided by the threat actors, was the large-scale exfiltration of sensitive patient data. The compromise of the radiology information system represents a significant breach of medical confidentiality, exposing patient health records, personally identifiable information, and financial data. The threat actors' claim of maintaining persistent access for months suggests a potential systemic failure in detection and response. The reported use of the network to launch further attacks against customers and partners compounds the potential harm, extending the risk beyond Unique Imaging itself. The company's public response, or lack thereof, left patients and partners without official information regarding the potential compromise of their data.