Cyber Incident Victim: New York Foundation for Senior Citizens
Date:
Sep 2020
Location:
United States of America
Summary
The New York Foundation for Senior Citizens experienced a ransomware attack by the Conti group, resulting in the exfiltration and public dumping of sensitive organizational and personal data. Compromised information included personnel records, guardianship-related financial documents with bank account details, and a psychiatric evaluation of a senior citizen containing highly sensitive health information. Despite the exposure of this data on Conti's leak site, the organization did not publicly acknowledge the incident on its website or respond to inquiries about potential notifications to affected individuals or regulators. The breach involved non-HIPAA-covered data but implicated other potential notification obligations due to the exposure of personal and financial records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 17, 2020, the New York Foundation for Senior Citizens (NYFSC) was listed on the Conti ransomware group’s dedicated leak site following a cyberattack. Conti threat actors exfiltrated and publicly dumped dozens of files containing sensitive organizational and personal data. The compromised records included personnel information, guardianship-related financial accounting documents submitted to courts, and bank account details. Among the leaked materials was a psychiatric evaluation of a senior citizen containing clinically sensitive information. NYFSC, a non-HIPAA-covered entity providing senior support services, faced potential notification obligations under other regulatory frameworks due to the exposure of personally identifiable and financial data. The attackers’ publication of internal documents demonstrated unauthorized access to systems housing confidential records related to both operations and client services. Conti’s leak site served as a platform to pressure victims into paying ransoms by threatening further disclosures, though no explicit ransom demand to NYFSC was detailed in available reports.
NYFSC did not issue public statements, website notices, or press releases regarding the incident following Conti’s data dump. DataBreaches.net contacted the organization via email on September 17, 2020, and sent a follow-up inquiry but received no response. No breach notification appeared on the U.S. Department of Health and Human Services’ public breach portal, consistent with NYFSC’s non-HIPAA status, nor were submissions to state attorneys general documented. The absence of public disclosures left affected seniors and guardians without formal guidance on potential risks stemming from the exposure of financial records and sensitive health information. The dumped guardianship files contained detailed court financials and banking data, creating risks of financial fraud and identity theft. The psychiatric evaluation’s disclosure compounded risks by exposing confidential medical assessments. Conti’s leak site made the data freely accessible, increasing likelihood of misuse by malicious actors. NYFSC’s operational disruptions, if any, were not disclosed, and the organization’s internal investigation findings regarding attack vectors or data scope remained unpublicized.