Cyber Incident Victim: GlobeMed Saudi
Date:
May 2021
Location:
Saudi Arabia
Summary
A ransomware group known as Xing Team compromised GlobeMed Saudi, a healthcare benefits management firm, exfiltrating sensitive data including patient records, employee information, and financial reports. The attackers initially leaked 100 GB of the claimed 201 GB stolen, exposing detailed medical files such as COVID-19 diagnoses, pediatric ICU reports, and personally identifiable information. The firm's IT security team contained the breach within 24 hours, notified relevant authorities, and reinforced cybersecurity measures, asserting core systems remained unaffected. While the organization reported prompt incident response and regulatory compliance, patient notification details were not publicly confirmed, and the incident highlighted vulnerabilities in a region lacking comprehensive data protection regulations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 6, 2021, the threat actor group Xing Team added GlobeMed Saudi, a healthcare benefits management firm, to their dedicated leak site. The group claimed to have exfiltrated 201 GB of data comprising patient records, employee information, and financial reports. On May 11, Xing Team publicly dumped 100 GB of the stolen data, representing approximately half of the total exfiltrated material. The leaked files contained highly sensitive information, including a spreadsheet documenting 79 named COVID-19 suspected and confirmed cases from February 2021, which included patient names, identification numbers, hospital affiliations, diagnosis details, test results, and clinical notes. Another file contained detailed medical records of a pediatric ICU patient with a congenital condition, including treatment specifics. The data exposure extended to routine medical visit records, though the full scope of affected individuals remained unclear due to the partial data release and lack of official confirmation from GlobeMed Saudi.
GlobeMed Saudi initially did not respond to media inquiries, with later revelations indicating communications had been misdirected to spam folders. Following internal investigation, the company’s IT security team initiated an incident response and conducted threat-hunting exercises across their network. They reported containing the breach within 24 hours, asserting that core systems and data center environments remained uncompromised. GlobeMed Saudi notified relevant Saudi Arabian authorities and regulators but provided no public disclosure regarding patient notifications or specific remediation measures for affected individuals. The dumped data attracted over 101,000 views on Xing Team’s leak site, though download statistics were unavailable. Subsequent analysis revealed the breach exposed financial records, employee data, and medical files containing identifiers such as patient names, guarantor details, and clinical histories, creating significant privacy risks. Xing Team’s actions demonstrated a willingness to target healthcare entities without ethical constraints, though operational disruptions to GlobeMed Saudi’s services were not explicitly documented in available reports.