Grace Lutheran Foundation, which does business as Grace Lutheran Communities in Wisconsin, offers a variety of services including rehabilitation services, assisted living, skilled nursing, independent living, adult day services, and childcare. On February 9, they posted a notice about a data breach they discovered on January 22, 2024. They emphasized that there was no indication of misuse of any data, but they also noted that their ongoing investigation had already revealed that patient information was involved: name, address, Social Security number, and health insurance information.
The same day that they posted their notice, BlackCat added Grace Lutheran to their dark web leak site.
According to BlackCat’s blog post, they acquired 70 GB of data but allegedly after a few weeks of negotiations, Grace Lutheran Communities “refused to protect data of its employees and patients/customers unfortunately. That is why these data is being shared right now to public for free.”
BlackCat’s characterization of Grace Lutheran as “refusing to protect” is misleading. A chat log provided to DataBreaches with the understanding it would not be published or quoted directly does not show Grace Lutheran refusing to pay. It showed them agreeing to pay but then asking for more time to make the payment — and the negotiations falling apart after that.
Grace Lutheran stopped responding on February 6 and posted its breach notice three days later.
DataBreaches was also given access to preview the data leak. As claimed by BlackCat, it does appear to involve both employee and resident/patient personal and sensitive information. Many files incorporated patient names and dates as part of the filenames.
Skimming the files in the tranche, DataBreaches found clinical notes on named patients and also complete records in .pdf format. For some patients, the medical record would be hundreds of pages long in .pdf format and with personal and protected health information. Other patient files were briefer records. Employee-related records were also spotted in the tranche.
DataBreaches sent an inquiry to Grace Lutheran on February 17. They have not replied, but appear to have silently updated their security incident notice to include:
On February 17, 2024, we learned an unauthorized actor published data relating to the incident, to possibly include the personal information of Grace Lutheran employees and residents. We are working with our cybersecurity firm to address and remediate the publication of this data. We will promptly contact any individuals affected by this or any future release of confidential information by the actor.
Based on information on its website, Grace Lutheran appears to be a HIPAA-covered entity. There is no report listed on HHS at this time, but they are still within the 60-day window to notify. According to a spokesperson for BlackCat, the attack occurred on December 22, and they gained access through phishing and social engineering. DataBreaches could not independently confirm that claim, nor BlackCat’s description of their security as being “like a piece of cake to us.” In response to questions from DataBreaches, the spokesperson claimed they locked the network successfully without being detected. “Several top level employees were contacted through calls to make them talk. No patients or employees being informed yet, because of our organisation’s internal reasons.”
One of the questions DataBreaches put to BlackCat was whether they regretted not taking Grace Lutheran’s offer during negotiations.
“The sum which was demanded was based upon company’s financial documents. We are not sure whether it was their purpose to stall negotiation process or not, but it definitely took to long for them to answer every single questions, which is unacceptable in such cases,” the spokesperson replied. According to the spokesperson, the initial price had been set at $750,000. When Grace offered $435,000, BlackCat asked for $100k more. After that, there was a bit more negotiation and repeated mentions of needing more time. And then Grace Lutheran just stopped responding.
BlackCat’s spokesperson tells DataBreaches they have sent emails once again to Grace Lutheran management, but haven’t received any reply.