DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Forefront Dermatology notifying patients and employees about ransomware incident

Posted on July 9, 2021 by Dissent

Update November 17, 2022:  Forefront has reportedly settled a class action lawsuit for $3.75 million.

Update: July 12, 2021: Post-publication, DataBreaches.net learned that external counsel for Forefront Management, LLC and Forefront Dermatology, S.C. reported the incident to the Maine Attorney General’s Office as impacting 4,431 patients.  On July 14, however, this incident was added to HHS’s public breach tool as impacting 2,413,553 patients. Original post follows….


Wisconsin- headquartered Forefront Dermatology issued a press release yesterday afternoon about a ransomware attack that began in May.

Forefront has multiple locations
Forefront Dermatology advertises that it has more than 175 locations and more than 195 board-certified dermatologists.

In their press release, Forefront reports that they had identified an intrusion into their system on June 4, and promptly took their system offline to prevent further spread or damage.

Subsequent investigation revealed that there had been unauthorized access to some of its patient files and employee files between the dates of May 28, 2021 and June 4, 2021. The patient files that were accessed may have included  patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, accession numbers, provider names, and/or medical and clinical treatment information.

“There is no evidence that patient Social Security numbers, driver’s license numbers, or financial account / payment card information were involved in this incident,” they write.

Because Forefront’s investigation could not conclusively determine all the patients and employees whose files may have been involved, they are also notifying patients whose information may have been involved.

Forefront has established a dedicated, toll-free call center to help answer patient questions. Additional information is available at https://forefrontdermatology.com/incidentnotice/ or by calling Forefront Dermatology’s dedicated, toll-free incident response line at 855-899-4166, Monday through Friday, between 8:00am to 8:00pm, Central Time.

Forefront’s release does not mention any specific ransom demand or whether they negotiated at all with the threat actors.  As of today, however, some of Forefront Dermatology’s files remain  freely available on the Cuba Ransomware leak site.

 

Cuba Ransomware

Although not revealed in their disclosure, the attack was the work of threat actors calling themselves “Cuba Ransomware” (some details on Cuba ransomware can be found here).The threat actors dumped some of Forefront’s data at the end of June.

Cuba Ransomware Victim
The threat actors did not indicate how much data they had exfiltrated.

The June data dump did not include a tremendous amount of patient records, although it did include some patient information. The dump was only about 47 MB, but what it did include was more than 130 files with information on the entity’s system and network, with security and backup details, and all their logins to health insurance portals, etc.

Hopefully, Forefront has notified all of the insurers whose portals they use that their login credentials were compromised.  A passwords file in the dump listed more than 100 sets of logins. Sadly, there was what appeared to be a lot of weak password and extensive password reuse. More than 40 passwords had “Forefront” in combination with some digit(s) and an exclamation point. Another 10 had some variant of DAWderm1!

Logins
Passwords and email addresses with security quesions used for one insurer’s portal revealed significant re-use.

DataBreaches.net emailed their IT person to ask them some questions. In that July 4 email, I noted that I would be reporting on this breach and that I hope they had changed all their passwords.  I got no reply. That was actually the third email I had sent to Forefront seeking information or a statement. There was no reply to any of them.

DataBreaches.net has been trying — unsuccessfully so far — to reach the threat actors to ask them if they would reveal whether they got patient data and employee data, and if so, how much.

Bad Timing?

There is never a good time for a breach, but this may be particularly bad timing. In researching this incident, DataBreaches.net discovered articles on PE Hub dated June 30 and July 1 about how OMERS was reportedly preparing Forefront Dermatology for sale.

OMERS did not respond to three email inquiries about the breach or its potential impact on any sale.

Will the breach deter any buyers or will it result in the seller reducing the price of sale? DataBreaches.net has no idea, but if the entity doesn’t know for sure how much PII and PHI the attacker(s) actually acquired, then what impact might that have?


 

Related posts:

  • Forbes Breach Email Statistics
  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • A further 512 websites hacked and defaced by HaX.R00T
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
Category: Breach IncidentsHealth DataMalware

Post navigation

← Kroger reaches $5M settlement with Accellion breach victims, as Supreme Court defines ‘actual harm’
Iran’s Rail Service Allegedly Hacked With Fake Delay Messages Urging Users To Call Khamenei →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.