ClickFix Social Engineering Technique is the Leading Method for Malware Delivery
The ClickFix social engineering technique is the leading method of malware delivery, according to an analysis by researchers at ReliaQuest. The researchers analyzed cyberattacks between March 1 and March 31, 2026, and found that attackers were most commonly exploiting trusted identities, devices, and tools in their attacks. This approach allows the attackers to hide their activities, which resemble normal user behavior, and bypass traditional perimeter and file scanning defenses.
The leading technique was ClickFix, which involves tricking users into pasting the attacker’s commands and scripts into trusted system dialogs, such as the Windows Run dialog. Pressing the Windows Key + R, launches the Run dialog, and the user is convinced to copy the supplied code into the dialog and execute it, having been tricked into thinking that the command will resolve an IT issue.
For instance, a user visits a website that triggers a pop-up, warning them that their browser contains a vulnerability or an image failed to load. They are told to click a button, which copies code, and then paste that command into the Run dialog and press Enter, thus executing the command. Other methods involve generating a fake CAPTCHA page, informing the user that they need to complete the test to verify they are human by pasting and running the command. That command launches PowerShell code that delivers the malware payload.
ReliaQuest researchers report that this technique is commonly used to deliver the NetSupport RAT, a remote access Trojan, and Deepload fileless malware, although they observed this technique being used to deliver a range of malware variants. This approach has also been used against MacOS users for the first time, delivering Atomic Stealer (AMOS), which can steal browser credentials, session cookies, cryptocurrency wallets, and keychain data.
ReliaQuest recommends companies add this method of attack to their security awareness training programs, warning employees not to paste commands into dialog boxes, such as Run, Terminal, or Script Editor, to consider restricting the use of the Run feature, restrict users from executing executable files, and use web filters to block pop-ups and prevent access to malicious websites.
The post ClickFix Social Engineering Technique is the Leading Method for Malware Delivery appeared first on The HIPAA Journal.
Best HIPAA Audit and Risk Management Software in 2026 – World Business Outlook
Optimoz Strengthens Trust and Governance with HIPAA and SOC 2 Type II – The Manila Times
Optimoz Strengthens Trust and Governance with HIPAA and SOC 2 Type II – EIN Presswire
Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation – The HIPAA Journal
Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation
A settlement has been agreed to resolve claims against Greater Rochester Independent Practice Association (GRIPA) arising from the May 2023 data breach involving Progress Software’s MOVEit file transfer solution.
In May 2023, the Russian-speaking hacking group CL0p mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Cl0p exploited the vulnerability to attack an estimated 2,700 companies that used the software, exfiltrated sensitive data, and then demanded payment to prevent the publication of the stolen data. Globally, almost 96 million individuals were affected. Cl0p proceeded to leak large amounts of data on the dark web when its ransom demands were not met.
In the United States, well over 100 class action lawsuits were filed against Progress Software and more than 100 client organizations over the attack and data breach. The plaintiffs alleged that the data breach could have been prevented by implementing industry-standard cybersecurity measures and protocols, such as software to detect suspicious activity, auditing the platform and Progress Software’s cybersecurity practices, and restricting the IP addresses that could access the platform and limiting the file types that could be uploaded.
The lawsuits had overlapping claims and were consolidated into a single multidistrict litigation, which was centralized in the U.S. District Court for the District of Massachusetts – In re: MOVEit Customer Data Security Breach Litigation. Progress Software made multiple bids to have the lawsuit dismissed, and in July 2025, the court largely denied the motions; however, it failed to dismiss the negligence claims under state law in California, Indiana, Michigan, and Ohio.
Several of the affected client organizations have already entered into settlements, including Bank of America, Nuance Communications, and Arietis Health. Now a settlement has been agreed to resolve claims against GRIPA related to the data breach, although the claims against Progress Software have not been resolved and will continue.
GRIPA faced four class action lawsuits over the data breach, the first of which was Clarke, et al. v. Progress Software Corp., et al, which were transferred to and coordinated with In re: MOVEit Customer Data Security Breach Litigation. GRIPA patients had their names, dates of birth, Social Security numbers, health & treatment information, health insurance information, pharmacy prescription information, and prescriber information compromised in the incident, and the publication of that data, according to the lawsuit, resulted in cognizable injuries. GRIPA faced claims for negligence, negligence per se, breach of third-party beneficiary contract, breach of implied contract, unjust enrichment, and declaratory and injunctive relief. GRIPA filed a motion to dismiss, which was denied in part and granted in part by the court on December 12, 2024.
GRIPA denies any wrongdoing and disagrees with the claims and contentions in the lawsuit. After considering the cost, expense, and length of proceedings, and the uncertainty of a trial and related appeals, the parties began settlement discussions. Mediation on June 10, 2025, was successful, with the material terms of a settlement agreed upon by all parties.
Under the terms of the settlement, GRIPA has agreed to establish a $2,150,000 settlement fund to pay claims made by the settlement class members. Claims will be paid after attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives have been deducted. Class members may submit a claim for reimbursement of up to $2,500 in ordinary losses, and up to $10,000 in extraordinary losses. Alternatively, if a claim for reimbursement of losses is not filed, class members may claim a one-time cash payment, estimated to be $100 per class member. The cash payments will be subject to a pro rata increase or decrease, depending on the number of valid claims received. In addition, all class members are entitled to file a claim for two years of complimentary credit monitoring and identity theft protection services.
The settlement has received preliminary approval from the court. The deadline for filing a claim is September 3, 2026. The final fairness hearing will be held on the same date. Individuals wishing to exclude themselves from the settlement or object to it must do so by August 4, 2026. Further information on the settlement can be found on the settlement website: https://www.moveitsettlementgripa.com/index.htm
The post Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation appeared first on The HIPAA Journal.
Serviceaide Pays $1.8 Million to Settle Data Breach Litigation – The HIPAA Journal
Serviceaide Pays $1.8 Million to Settle Data Breach Litigation
Serviceaide, Inc., a provider of AI-powered solutions to boost productivity and enhance service delivery, has agreed to pay $1.8 million to settle a lawsuit stemming from a 2024 data breach that exposed the protected health information of patients of its client, Catholic Health.
Catholic Health is a Buffalo, NY-based non-profit healthcare system serving patients in Western New York through its hospitals, nursing homes, home care agencies, and physician practices. Catholic Health contracted with Serviceaide, and the provision of the contracted services required access to patient data. On or around November 15, 2024, Serviceaide identified unauthorized access to its systems. The forensic investigation confirmed that an unauthorized third party had access to its network from September 19, 2024, to November 5, 2024.
Servieaide determined that a database containing the records of approximately 483,000 Catholic Health patients was potentially accessed or obtained. The database contained names, dates of birth, Social Security numbers, medical/health information, treatment information, health insurance information, and email/usernames and accompanying passwords. The affected individuals were notified about the data breach on May 9, 2025.
Eleven class action lawsuits were filed in response to the data breach, which were consolidated – Nancy Balzer, et al., v. Serviceaide, Inc. – in the Supreme Court of the State of New York, County of Nassau. The consolidated lawsuit alleges that the data breach should have been prevented and was the result of negligence on the part of the defendant. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, violations of California’s Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq., and declaratory judgment.
Serviceaide denies all wrongdoing, and disagrees with all claims and contentions in the lawsuit. The defendant filed a motion to dismiss, and the plaintiffs filed their opposition to the motion. To conserve resources for the benefit of the class members, the parties explored a potential settlement. As a result of hard-fought negotiations, the terms of a settlement were agreed, and the settlement has now been finalized.
Under the terms of the settlement, Serviceaide has agreed to establish a $1,800,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the 15 class representatives will be deducted. The remainder of the fund will be used to pay valid claims from the class members.
Class members may claim one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to fraud or identity theft as a result of the incident, and other losses up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a cash payment, estimated to be approximately $50 per claim. The cash payments will be paid pro rata after the claims for losses have been paid. The deadline for submitting a claim is September 1, 2026. The final fairness hearing has been scheduled for September 16, 2026. The deadline for objection and opting out is August 17, 2026.
The post Serviceaide Pays $1.8 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.