Cyber Incident Victim: Consulate Health Care
Date:
Dec 2022
Location:
United States of America
Summary
The Hive ransomware group compromised Consulate Health Care, exfiltrating and subsequently leaking 550 GB of sensitive data encompassing extensive customer and employee personally identifiable information, medical records, financial details, and internal corporate documents. The organization initially attributed the breach to a vendor incident but the attackers explicitly claimed direct infiltration. Negotiations reportedly collapsed after the company could not meet the reduced ransom demand due to lack of insurance coverage, prompting the threat actors to publicly release the stolen data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 3, 2022, the Hive ransomware gang executed a cyberattack against Consulate Health Care, a healthcare services provider. The attackers exfiltrated approximately 550 GB of sensitive data, which included extensive personal and corporate information. Stolen employee data encompassed social security numbers, email and physical addresses, phone numbers, photographs, insurance details, payment records, and other personally identifiable information (PII). Customer records exposed medical histories, credit card numbers, insurance information, social security numbers, and contact details. Corporate documents such as contracts, non-disclosure agreements (NDAs), budgets, strategic plans, financial evaluations, revenue cycle data, investor relations materials, and organizational structure charts were also compromised. Consulate Health Care publicly disclosed the incident on January 6, 2023, attributing the breach to a security incident affecting one of its vendors. The organization stated the vendor had engaged third-party experts to investigate potential unauthorized access to records containing personal information, though the full scope remained under review at the time of notification.
Contradicting Consulate Health Care's vendor-focused explanation, Hive ransomware representatives explicitly claimed to have targeted the organization directly rather than through a third party. Security researcher Dominic Alvieri observed the gang's publication of the full 550 GB dataset on January 6, 2023, indicating failed ransom negotiations. According to reports from DataBreaches, negotiations collapsed after several weeks when Consulate Health Care determined it could not meet the attackers' demands, even at a reduced rate, due to lack of insurance coverage for ransom payments. The data leak included samples verifying the theft of medical records, financial documents, and employment records prior to the full dataset's release. This unauthorized disclosure exposed patients to potential identity theft and medical fraud risks, while employees faced compromised tax, insurance, and financial security. The organization maintained its notification was issued out of caution and commitment to transparency while investigations continued into the vendor-related incident narrative disputed by the threat actors.