North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector
North Korean state-sponsored hackers are targeting U.S. healthcare organizations and non-profits and deploying Medusa ransomware, according to a joint investigation by Symantec and the Carbon Black Threat Hunter Team.
A wave of recent attacks has been linked to the Lazarus Group, an umbrella term covering multiple cyber threat actors linked to the Reconnaissance General Bureau (RGB) of the North Korean government. The Lazarus Group engages in attacks for espionage purposes, as well as disruptive and destructive attacks on targets primarily in South Korea, but also engages in financially motivated campaigns, often targeting organizations in the United States.
Medusa emerged in 2023 as a ransomware-as-a-service (RaaS) operation, which is believed to be run by a cybercrime group called Spearwing. Affiliates are recruited to conduct attacks using the Medusa encryptor and infrastructure in exchange for a percentage of any ransom payments they generate. Medusa actors engage in double extortion, stealing and encrypting data. A ransom must be paid to obtain the decryption keys and to prevent the leaking or sale of stolen data. Medusa often auctions off stolen data if the ransom is not paid, leaking data that has not been sold.
While North Korean state-sponsored hackers are known to have used Maui and Play ransomware in their financially motivated attacks, Symantec and Carbon Black Threat Hunter Team uncovered evidence that the Lazarus Group has started using Medusa in its ransomware campaigns. They identified an attack on a target in the Middle East, plus four attacks on healthcare organizations and non-profits in the United States since November 2025. U.S. victims include a non-profit mental health service provider and an educational facility for autistic children. Since November 2025, when the first Medusa ransomware attacks were attributed to the Lazarus Group, the average ransom demand is $260,000.
A Lazarus subgroup known as Stonefly (aka Andrael) is believed to be one of the groups involved in the attacks. Stonefly has previously focused on espionage attacks on high-value targets; however, for the past five years, the group has engaged in ransomware attacks, often against hospitals and other healthcare providers. The U.S. Department of Justice has indicted a suspected member of the group, the North Korean Rim Jong Hyok, on charges related to ransomware attacks on U.S. healthcare providers. Rim is alleged to be linked to the RGB and, along with other members of the group, is thought to be involved in ransomware attacks to raise funds for the group’s espionage activities.
Symantec and the Carbon Black Threat Hunter Team have not been able to attribute the attacks to any specific subgroup of Lazarus, but have found sufficient evidence confirming that Lazarus is behind the attacks. Symantec and Carbon Black have tracked more than 366 ransomware attacks involving the Medusa encryptor, although the group has claimed attacks on more than 500 organizations, including more than 40 healthcare organizations. Symantec and Carbon Black have shared indicators of compromise (IoCs) associated with the attacks, along with the range of tools used by the Lazarus group in its current ransomware campaigns.
The post North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector appeared first on The HIPAA Journal.
Cedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches
Data breaches have recently been announced by Cedar Point Health in Colorado, Wee Care Pediatrics in Utah, and Easterseals Northeast Indiana.
Cedar Point Health
Cedar Point Health, a network of health clinics in Colorado, has recently disclosed a cybersecurity incident involving unauthorized access to parts of its network containing patient and employee information. The intrusion was detected on or around June 16, 2025, and third-party cybersecurity experts were engaged to investigate the incident.
Cedar Point Health said it has taken several months of extensive efforts to identify, review, and analyze the impacted data, and on January 27, 2026, that process was completed. Data compromised in the incident includes full names, addresses, dates of birth, medical treatment information, diagnosis or procedure information, clinical information, health insurance information, financial account information, driver’s license or state-issued identification numbers, passport numbers, and/or Social Security numbers/ITINs.
No evidence has been found to indicate any fraud as a result of the incident; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by reviewing their accounts and explanation of benefits statements for suspicious activity. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The data breach is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Wee Care Pediatrics
Wee Care Pediatrics, a pediatric healthcare provider with several locations in northern Utah, has recently announced a cybersecurity incident involving unauthorized access to or the acquisition of patient information. Suspicious activity was identified within its computer network on or around December 15, 2025. Third-party cybersecurity specialists were engaged to investigate the activity and determined that there had been unauthorized access to its network.
The review of the exposed data is ongoing; however, it has been determined that the following types of personal and protected health information were involved: first and last name, contact information, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, date(s) of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, and health insurance information.
Immediate action was taken to contain the incident, and steps have been taken to enhance security to prevent similar incidents in the future. Out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Easterseals Northeast Indiana
Easterseals Northeast Indiana, a nonprofit provider of services to individuals with disabilities and their families, has confirmed that protected health information was accessed and acquired in a security breach. Suspicious activity was identified within its computer network on September 4, 2025. Immediate action was taken to secure the network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity.
On November 10, 2025, data theft was confirmed, including individuals’ first and last names, contact information, birth date, Social Security numbers, diagnostic and treatment information, and health insurance information. While not stated by Easterseals, this appears to have been a ransomware attack. The Inc Ransom ransomware group claimed to have stolen 405 GB of data in the attack. As a precaution against identity theft and fraud, Easterseals has offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved. At present, it is unclear how many individuals have been affected.
The post Cedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches appeared first on The HIPAA Journal.
QualDerm Partners Confirms Significant Data Breach – The HIPAA Journal
QualDerm Partners Confirms Significant Data Breach The HIPAA Journal
QualDerm Partners Confirms Significant Data Breach
QualDerm Partners, LLC, a provider of healthcare management services to 158 dermatology and skin care practices in 17 U.S. states, has announced a security incident involving unauthorized access to its computer network. Unauthorized network activity was identified on December 24, 2025, and immediate action was taken to contain the incident and secure its network and computer systems. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized access to its network between December 23 and December 24, 2025. During that time, files containing sensitive data were exfiltrated from its network.
The data review is ongoing to determine the individuals and types of information involved. So as not to unduly delay notifications, QualDerm Partners is mailing notification letters to the affected individuals on a rolling basis. Data compromised in the incident varies from individual to individual, and may include names, email addresses, dates of birth/death, doctor names, medical record numbers, diagnoses, treatment information, and health insurance information. A very small subset of individuals may also have had their government-issued identification information, such as driver’s license numbers, compromised in the incident.
QualDerm Partners said it is reviewing its policies, procedures, and protocols related to data security, and while no misuse of patient data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. QualDerm Partners has yet to publicly confirm exactly how many individuals have been affected, and the incident is not yet shown on the HHS’ Office for Civil Rights breach portal. This does appear to be a significant data breach, as the Texas Attorney General has been informed that 174,837 Texas residents have been affected. Since QualDerm Partners works with dermatology practices in 17 U.S. states, the total number of affected individuals is likely to be considerably higher.
This post will be updated when further information becomes available.
The post QualDerm Partners Confirms Significant Data Breach appeared first on The HIPAA Journal.
Opinion – AI’s privacy tipping point: Why America needs a HIPAA for chatbots – AOL.com
Catholic Health System & Northwell Health Settle Pixel Lawsuits – The HIPAA Journal
Catholic Health System & Northwell Health Settle Pixel Lawsuits The HIPAA Journal
Catholic Health System & Northwell Health Settle Pixel Lawsuits
The New York-based health systems, Catholic Health System & Northwell Health, have agreed to settle class action lawsuits stemming from their use of pixels and other website tracking and analytics tools, which are alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without consent.
Website tracking and analytics tools are used extensively across the internet for tracking website visitors. While these tools can collect valuable information to help website owners improve their websites, they can also collect and transmit sensitive data to the third-party providers of the tools. That disclosed information may then be used for advertising purposes.
Depending on how these tools are implemented, they may violate the HIPAA Privacy Rule, such as if they are added to web pages or apps that require authentication. Over the past three years, many lawsuits have been filed over the use of these tools by healthcare providers. HIPAA has no private cause of action, so individuals cannot sue for HIPAA violations. The lawsuits were filed for alleged violations of federal wiretapping laws and state consumer protection laws.
Catholic Health System Pixel Settlement
Catholic Health System, a non-profit integrated health system based in Buffalo, New York, was sued for implementing these tools, which resulted in impermissible disclosures of protected health information to Meta and other third parties. The defendant filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed, and an amended complaint – J.C. v. Catholic Health System, Inc. – was filed in the Supreme Court of the State of New York, County of Erie.
Catholic Health System denies any wrongdoing whatsoever and also denies that tracking technologies were added to its patient portal or electronic medical record system; however, following mediation, a settlement was agreed upon by all parties. The settlement provides benefits to all patients who logged into the Catholic Health System MyChart patient portal from January 1, 2020, through December 11, 2025 (Subclass 1), and any current or former patient who sought and received treatment from Catholic Health System between the same dates, not including individuals in Subclass 1 (Subclass 2).
The defendant has agreed to pay all attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members in Subclass 1 may submit a claim for a one-time cash payment of $20, and members of Subclass 2 may submit a claim for a 12-month membership to a Dashlane privacy monitoring service. Class members have until March 11, 2026, to object to the settlement or exclude themselves. Claims must be submitted by April 10, 2026, and the final fairness hearing has been scheduled for April 23, 2026.
Northwell Health Pixel Settlement
Northwell Health, a New York-based nonprofit integrated healthcare serving patients in New York and Connecticut, faced similar class action litigation over the use of website tracking tools that were alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without patients’ knowledge or consent. Through these tools, the defendant is alleged to have disclosed information related to past, present, or future health conditions, which would allow third parties to determine that an individual was a patient or seeking treatment, together with the type of medical care being sought.
The lawsuit, Kaplan v. Northwell Health, Inc., was filed in the Supreme Court of the State of New York, County of Kings and asserted claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment, negligence, invasion of privacy under New York Civil Rights Law, violations of the New York Consumer Law for Deceptive Acts and Practices, and violations of the Electronic Communications Privacy Act.
The defendant denies all claims of fault, wrongdoing, and liability and disagrees with all contentions in the lawsuit; however, to avoid the expense of ongoing litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation. There are two settlement classes, with different benefits. Individuals who used Northwell Health’s FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, are in Settlement Subclass 1 and may submit a claim for monetary relief of $15 per class member. All other patients of Northwell Health between January 1, 2020, and July 25, 2024, not including those in Settlement Subclass 1, are in Settlement Subclass 2 and may claim a 12-month membership to a privacy monitoring service.
The deadline for objection and opting out is March 23, 2026. The deadline for submitting a claim is April 20, 2026, and the final fairness hearing has been scheduled for April 21, 2026.
The post Catholic Health System & Northwell Health Settle Pixel Lawsuits appeared first on The HIPAA Journal.