One of the recent listings on a well-known ransomware leak site names a Florida law firm as their victim but they link to disabilityhelpgroup.com. That site, which offers what they describe as advocacy services for individuals seeking help in securing Social Security disability benefits or veterans’ disability benefits, does not display the law firm’s name at all and has a disclaimer that the service is not a law firm. But there seems little doubt that LaVan & Neidenberg or at least one of the partners is somehow connected to the site and services, as Adam Neidenberg’s name appears on numerous official documents as the attorney for those using the Disability Help Group’s services.
On June 16, Disability Help Group suffered a ransomware attack that encrypted their files. On July 20, their URL and LaVan & Neidenberg’s name were added to a dedicated leak site with a “proof pack” that included sensitive data from people seeking disability benefits. Case files in the proof pack viewed by DataBreaches consisted of all the client’s records. Each case file might be 600 to more than 1300 pages with all their demographic information, occupational history, medical records, and evaluations to determine eligibility for the type of benefits sought.
On August 3, DataBreaches reached out to Disability Help Group to request comment on the breach and the data leak. No response was received.
According to the ransomware group that claimed responsibility for the attack, the data leaked in the proof pack is not all of the data they possess. They did not indicate how much data they exfiltrated or when they were planning to leak it all. But the proof pack alone contains what appears to be thousands of files, with hundreds of case files from 2020-2022 having detailed personally identifiable information.
Disability Help Group has not posted any notice on their website as of the time of this publication. This incident will not appear on HHS’s breach tool as this firm would not be a HIPAA-covered entity. They seem to have clients form a variety of states, so we may eventually see some notification on a state attorney general’s website, but Florida, if they report to that state, does not make breach notices public or subject to public records requests.
Do any of Disability Help Group’s clients know that their data has been acquired by a ransomware group? And if not, will they ever be told?