On January 24, DataBreaches was contacted by a spokesperson for AlphV (“BlackCat”) to see if this site would be interested in reporting on a breach involving BrightStar Care (“BrightStar”). BrightStar had been added to their dark web leak site that day but without any proof of claim. The spokesperson was offering to show DataBreaches data that was described as containing a lot of patient information. Given that BrightStar offers a range of services for different needs, and has locations in most (but not all) states, any breach might involve patient data. Before viewing any data, though, DataBreaches asked AlphV some questions, and learned that the attack was in early January, but it did not involve any encryption of files. AlphV’s spokesperson stated that they exfiltrated 24 GB of data from all of BrightStar Care’s four brands, obtaining “lots of confidential sensitive patient data.” They would later revise the claim about obtaining a lot of patient data.
Although BrightStar has four brands — BrightStar® Home Care, BrightStar® Senior Living, BrightStar Care Homes™, and BrightStar® Medical Staffing– each franchise office is independently owned and operated. Whether patient data from all franchises is centrally stored with corporate providing security was, and remains unconfirmed by BrightStar.
In any event, the spokesperson claimed that they sent BrightStar the negotiation chat URL to use, but that BrightStar never responded at all, and so never even saw any price to delete data. When DataBreaches asked how they could be sure that BrightStar ever saw the communication with the URL, they answered that the used Docusign, which provided a read receipt via email.
When DataBreaches inspected some of the data, it appeared to all be from an account on a server from the directory “Shelly Sun.” Shelly Sun is the CEO and co-founder of BrightStar. While the data appeared to contain some company-related files and documents as well as some personal information, there did not appear to be any patient databases or employee databases in the directory. As breaches went, this did not seem to be a particularly significant one in terms of potential impact.
But on January 24, the same day AlphV listed BrightStar on their leak site, Sieged Sec posted something on Telegram channel with two screencaps as proof. Their post read, in part: “oops, accidentally breached a healthcare company~ don’t worry, we won’t be leaking any data from healthcare again ^-^ but this 80GB of client and staff data looks pretty delicious~ ”
They also included a note to BrightStar Care:
dear BrightStar Care,
we’ve left a note in your files so you can secure your data.
yours truly, the gay cats at SiegedSec
DataBreaches reached out to SiegedSec, whose spokeperson expressed surprise. “I’m surprised to hear BlackCat’s breach is unrelated considering the timing, but I also wouldnt be surprised if BrightStar was breached twice,” they wrote. In response to questions from DataBreaches, they volunteered that they breached the BrightStar Care branch, “specifically in Kentucky.” They were uncertain whether they only accessed an independently owned franchise or a central network for multiple franchises.
Neither SiegedSec nor AlphV were willing to reveal how they gained access to BrightStar. And neither got any direct response from BrightStar to their communications, but SiegedSec believes that BrightStar “certainly took notice and fixed the initial access method after a couple of days from the attack,” adding, ” BrightStar hasn’t contacted or acknowledged me at all, despite leaving them my contact info. ” Perhaps they thought thanking SiegedSec would be inappropriate.
When asked, AlphV’s spokesperson said that they, too, no longer had access.
Of note, and despite the wording of SiegedSec’s Telegram post, SiegedSec informed DataBreaches that they did not download any data. “I took a look around their files but I had no intention to keep their data.”
So will BrightStar decide that this is a reportable breach under HIPAA or not? Unless DataBreaches missed some data, there may not be much PHI in the data AlphV claimed to exfiltrate. And because DataBreaches did not examine every file in the AlphV data, this site could not determine whether the two files SiegedSec posted were also in the AlphV data.
Was this really one breach or was it, as claimed, two breaches by different threat actors? DataBreaches would love to know if BrightStar would just respond to inquiries. DataBreaches called BrightStar this week and was told that there was no phone extension for any executives but the customer service representative would take a message and submit it. DataBreaches left a detailed message that this site was inquiring about two alleged data breaches by different criminal groups and that both had provided some data to support their claims.
No call or reply was received.