The IT Nerd

Lee University in TN this week confirmed it notified 136,928 people of a March 2024 data breach that compromised the following personal info: names, Social Security numbers, government-issued ID numbers (e.g. driver’s license, passport), financial info including credit and debit card numbers, and medical info. 

Ransomware gang Medusa in April 2024 claimed responsibility for the breach, saying it stole nearly 388 GB of data from the school. Medusa demanded $1 million in ransom.

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote: 

“Medusa is a ransomware gang that first surfaced in September 2019. It debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to decrypt their systems and for not selling or publishing stolen data.”

“In 2024, Medusa claimed responsibility for 66 confirmed ransomware attacks affecting 2.4 million records. Its average ransom demand is $590,000. This attack on Lee University is Medusa’s second largest to date by number of records compromised, following the 1.8 million records impacted in the group’s attack on Summit Pathology.”

“Ransomware attacks are a growing threat to schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data. Schools must either pay a ransom or face extended downtime, data loss, and putting students and staff at increased risk of fraud.”

Schools along with hospitals are easy targets for ransomware gangs. What needs to happen is that these sectors need to get the funding that will allow them to better defend themselves. The problem is that this funding isn’t coming. So you’ll be seeing me write stories about organizations in these sectors getting pwned until that changes.

A US lab testing provider, Laboratory Services Cooperative, yesterday confirmed the exposure of 1.6 million people from its systems in an October 2024 attack. Data exposed in this breach includes names, SSNs, license numbers, diagnoses, lab results, treatments, insurance details, billing details and more. 

Oops.

Ensar Seker, CISO at SOCRadar had this to say:

“The data breach at Laboratory Services Cooperative (LSC), affecting 1.6 million individuals, is one of the most significant healthcare sector incidents we’ve seen this year. Not just in terms of scale, but in terms of sensitivity and impact. LSC’s role as a centralized lab service provider to organizations like Planned Parenthood and others across more than 35 states makes this not just a health data incident, but a targeted attack on reproductive healthcare infrastructure.”

“What makes this breach especially damaging is the breadth of data exposed. We’re talking about a full-spectrum compromise. Personally identifiable information (PII), medical diagnoses and treatments, lab results, financial data, and even government-issued IDs like passports and Social Security numbers. This creates a perfect storm for identity theft, medical fraud, and social engineering attacks.”

“Unfortunately, the healthcare sector continues to be a prime target for threat actors because the data is both extremely valuable on the black market and difficult to change. You can cancel a credit card but you can’t cancel your diagnosis, your birth date, or your lab history.”

“From a threat intelligence perspective, we’re already seeing evidence that threat actors are prioritizing healthcare organizations not just for financial gain, but to cause disruption, especially in politically sensitive areas like reproductive health. This makes it even more urgent for medical organizations and their partners to move beyond basic compliance and adopt a threat-informed, zero-trust security model.”

“This breach is a painful reminder that cybersecurity is patient safety, especially in sectors handling deeply personal and politically sensitive information.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech adds this: 

“Cyber attacks against healthcare providers like this are very common and very costly. They are usually ransomware attacks. Hospitals and other providers can’t afford downtime, which makes them more likely to pay a ransom to quickly restore operations. Downtime is often more costly than paying a ransom, and ransomware gangs know this.”

“If an organization refuses to pay the ransom, it could face extended downtime, data loss, and putting data subjects at increased risk of fraud. From 2018 to 2024, we tracked 654 confirmed ransomware attacks on US healthcare organizations. The resulting downtime costs an estimated $1.9 million per day per organization on average, with an average downtime of 17 days.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows with this:

“Customers who may have had their data exposed in the LSC breach will need to stay alert for phishing attempts, new accounts being opened under their name, calls claiming to be bill collectors, and more. Affected parties should take advantage of any credit monitoring services that may be offered by LSC.”

This is normally the part where I would say that this situation is unacceptable and that they need to be hauled in front the relevant authorities to face the music. But unfortunately, given what is going on in the US at the moment, the latter half of that is likely not going to happen no matter how unacceptable this is. Which is going to be a huge problem as companies won’t be “incentivized” to do better to avoid any sort of meaningful punishment.

UPDATE: Erich Kron, security awareness advocate at KnowBe4, commented:

“While the focus on breaches such as this are often around the personal information that was stolen and could be used to steal an identity, the other data often included can be used to create social engineering attacks that could be very damaging.

If an attacker knows a specific time and place where an individual was, or has information about a specific procedure that was performed, it can be easy for them to pretend that they are associated with the hospital, insurance company, or other organization related to the procedure and demand payment for services. For example, a bad actor could contact a victim, referencing the procedure, and saying that part of that procedure was not covered, and that the person needed to pay them now or be turned over to collections. The complex and expensive process of modern healthcare procedures can make an approach such as this very believable.

It is critical that people impacted by a breach, such as this, are quickly informed of the data loss and are aware of the threats they now face. Victims of the breach should be very cautious of any organization that contacts them and references information that could have been included in this breach.”