Cyber Incident Victim: Instituto Nacional de Medicina Genómica
Date:
Sep 2021
Location:
Mexico
Summary
A Mexican government health agency involved in COVID-19 research was targeted by the CoomingProject threat actor group, which claimed to have exfiltrated 50 GB of data including sensitive patient information. The compromised data included databases with personal details such as names, dates of birth, contact information, and medical testing results from COVID-related records, alongside dozens of patient-specific PDF reports. The attackers publicly leaked portions of the data, notably containing a file referencing an unrelated cybersecurity entity without clear explanation. The victim organization did not publicly acknowledge the incident or respond to inquiries at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around September 27, 2021, a threat actor group known as CoomingProject claimed responsibility for a cyberattack targeting Mexico’s National Institute of Genomic Medicine (Inmegen), a government health agency involved in COVID-19 testing and research. The attackers publicly leaked a portion of the stolen data, which included a database labeled “COVID” containing multiple tables with patient information. One table held 400 records with fields such as patient names, ages, dates of birth, email addresses, phone numbers, and other personal details. Additional compromised files contained COVID-19 testing results in the form of over two dozen named patient PDF reports. CoomingProject asserted they had exfiltrated 50 GB of data from Inmegen and an unnamed “partner” organization, though they did not specify ransom demands or the full scope of compromised systems. The group reiterated they were not a ransomware operation but provided no further motive for the attack.
The data dump included an anomalous file named “README,” which contained what appeared to be promotional material for a separate entity called KelvinSecTeam rather than a ransom note or operational communication. No public connection between CoomingProject and KelvinSecTeam was identified, as the latter’s Telegram channel—with over 600 members—showed no mention of the Inmegen breach or collaboration with the attackers. Inmegen did not acknowledge the incident publicly, with no statements on its website or responses to multiple media inquiries regarding the attack’s validity or impact. The absence of confirmed containment measures, recovery actions, or victim communications left the operational disruption, data exposure risks, and potential regulatory consequences unaddressed in public reporting. The inclusion of identifiable patient health information in the leak raised concerns about privacy violations, though the full scale of affected individuals remained unverified due to incomplete data disclosures and institutional silence.