Cyber Incident Victim: FONASA
Date:
Feb 2023
Location:
Chile
Summary
The BlackCat ransomware group claimed responsibility for an attack against Chile's National Health Fund, revealing beneficiary correspondence containing personal details like names, addresses, and cities, along with employee records including IDs and signatures. Proof provided to investigators included visit reports and healthcare payment documentation, though the victim organization and national cybersecurity authorities had not issued further updates beyond initial acknowledgments. The attackers stated they received no response from the entity and would soon publicly disclose the compromised data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late February 2023, Chile's National Health Fund (FONASA) experienced a confirmed ransomware attack by the BlackCat group (ALPHV), though initial public reports emerged weeks later. BlackCat representatives communicated directly with DataBreaches.net via Tox in early March, claiming responsibility and indicating FONASA had not engaged in negotiations. The attackers asserted they would soon publish stolen data on their leak site due to FONASA’s lack of response. As partial proof, BlackCat provided DataBreaches.net with samples of exfiltrated files, including a directory listing of compromised data, internal correspondence containing beneficiary names, addresses, and cities, as well as visit reports with employee Personally Identifiable Information (PII) such as full names, national identification numbers (IDs), and signatures. One letter sample displayed in the reporting pertained to co-payment details for health services, confirming the authenticity of beneficiary records. These materials established direct access to FONASA's systems or data repositories, though BlackCat did not disclose the intrusion methodology, data volumes, or whether encryption occurred.
FONASA did not publicly confirm or detail the attack beyond acknowledging an initial malware incident and initiating unspecified legal actions in coordination with Chile’s national cybersecurity team (CSIRT) pre-dating BlackCat’s claim. This official silence persisted even after BlackCat’s announcement and the group’s provision of stolen data evidence to journalists. The compromise directly exposed both beneficiary healthcare data and sensitive employee records, creating risks of identity theft, fraud, and reputational harm. Attacks targeting healthcare payment systems like FONASA disrupt service delivery and erode public trust. As of the last available reporting, neither FONASA nor CSIRT released updates on mitigation steps, forensic findings, or whether negotiations with BlackCat occurred post-disclosure. The unresolved status left unclear whether BlackCat followed through on publishing the full dataset or if additional compromises were later discovered within FONASA’s infrastructure.