Naper Grove Vision Care Falls Victim to Interlock Ransomware Attack

Posted by Steve Alder

Naper Grove Vision Care in Naperville, Illinois, has recently announced a cybersecurity incident that was detected on May 24, 2025. Independent cybersecurity experts were engaged to investigate unusual network activity and confirmed that an unauthorized third party accessed its network and exfiltrated files containing patient information.

The file review revealed the stolen files contained names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. A limited number of patients also had their Social Security numbers stolen.

Naper Grove Vision Care has advised the affected patients to monitor their account statements and credit reports closely and report any suspicious activity to law enforcement. There is no mention of complimentary credit monitoring services in the substitute data breach notice. The data breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals.

While ransomware was not mentioned in the notice, a ransomware group has claimed responsibility for the attack. The Interlock ransomware group has added Naper Grove Vision Care to its data leak site and claims to have stolen 214 GB of data in the attack across 32,971 folders and 656,891 files. The full data has been leaked, indicating the ransom was not paid.

Florida Lung, Asthma & Sleep Specialists Cyberattack Affects Up to 10,000 Patients

Florida Lung, Asthma & Sleep Specialists (FLASS), which has offices in Orlando, Kissimmee, Winter Garden, and Poinciana, has notified 10,000 patients about a recent data breach. Unauthorized network activity was identified on May 11, 2025, and the forensic investigation indicated that the medical records of certain patients may have been accessed.

Data potentially compromised in the incident includes patient names, birth dates, contact information, and limited medical and billing information. The investigation is ongoing, and notification letters will soon be mailed to the affected individuals. FLASS has not uncovered any evidence to suggest that any of the exposed information has been misused; however, the affected individuals have been advised to remain vigilant and monitor their medical accounts and statements for unusual activity. The affected systems have been secured, and cybersecurity experts have been engaged to review security measures and recommend areas for improvement.

The post Naper Grove Vision Care Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

Business Associate Data Breach Affects Duke Regional Hospital Patients

Posted by Steve Alder

A law firm that provides legal counsel and assistance to Durham County Hospital Corporation in North Carolina has experienced a data breach involving the personal and protected health information of 2,150 individuals.

Manning, Fulton & Skinner, P.A. (MFS), identified suspicious activity within its email system on February 6, 2025. An investigation was launched to determine the cause of the activity, and it was confirmed that certain MFS email accounts had been accessed by an unauthorized individual between September 19, 2024, and February 6, 2025.

Third-party data review specialists were engaged to review the affected accounts and completed the review on May 14, 2025. Durham County Hospital Corporation was notified about the data breach on May 29, 2025, and provided MFS with the necessary information for mailing notifications on July 14, 2025. The law firm has implemented additional email security measures and has offered the affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Brien Center for Mental Health and Substance Abuse Services Announces May 2025 Hacking Incident

The Brien Center for Mental Health and Substance Abuse Services in Pittsfield, Massachusetts, has notified state attorneys general about a recent security incident involving unauthorized access to patient information.  The intrusion was identified on May 21, 2025, and third-party cybersecurity specialists were engaged to investigate the incident. The Brien Center learned there was unauthorized network access between May 19, 2025, and May 21, 2025, during which time files containing patient information may have been copied from the network.

The file review confirmed that the data potentially compromised in the incident included names, dates of birth, addresses, phone numbers, email addresses, client IDs, dates and times of recent visits, and clinical diagnostic information. Credit monitoring and identity restoration services have been offered to the affected individuals. Currently, there is no breach report on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Business Associate Data Breach Affects Duke Regional Hospital Patients appeared first on The HIPAA Journal.

Small Michigan Physical Therapy Practice Reports Loss of Patient Data Due to Cyberattack

Posted by Steve Alder

Complete Care Rehab, a small physical therapy practice in East Pointe, Michigan, has been targeted by cybercriminals who gained access to its network and potentially viewed or acquired patient information. Suspicious activity was identified within its IT environment on or around May 11, 2025. Third-party cybersecurity experts were engaged to investigate the activity, and the forensic investigation confirmed that patient data was exposed and potentially stolen, including names, phone numbers, addresses, email addresses, dates of birth, diagnoses, treatment information, dates of service, and health insurance information may have been compromised. For a limited number of patients, Social Security numbers were also involved.

It is unclear from the substitute data breach notice whether ransomware was used in the attack. Data had to be restored from backups, but the restoration process failed, and all patient information was lost. Since it was not possible to determine exactly which patients were affected, the decision was taken to send notification letters to all 4,764 current and former patients.

Notification letters were mailed to the affected individuals on July 2, 2025. Complete Care Rehab said it is reviewing and enhancing its existing policies and procedures related to data privacy and security to prevent similar incidents in the future. The incident demonstrates the importance of testing backups to ensure that file recovery is possible.

Susan B. Allen Memorial Hospital Investigating Potential Cyberattack

Susan B. Allen Memorial Hospital in El Dorado, Kansas, is investigating a cybersecurity incident after receiving complaints from patients who were unable to access its online appointment scheduling system. The investigation identified anomalous activity within its network, which resulted in a system outage. Third-party cybersecurity experts have been engaged to assist with the investigation and support its recovery efforts. At such an early stage of the investigation, it has yet to be determined if patient information has been exposed or stolen. A spokesperson for the hospital confirmed that patients will be notified if their data has been exposed or stolen.

The post Small Michigan Physical Therapy Practice Reports Loss of Patient Data Due to Cyberattack appeared first on The HIPAA Journal.

Feds Issue Interlock Ransomware Warning as Healthcare Attacks Spike

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint alert about the Interlock ransomware group, which has accelerated attacks on businesses and critical infrastructure organizations. The alert shares the latest tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) collected from investigations of the group’s ransomware attacks in June 2025.

Interlock is a ransomware-as-a-service operation that first emerged in September 2024. The group has attacked entities in multiple sectors but appears to favor organizations in the healthcare and public health (HPH) sector. Healthcare victims include the kidney dialysis giant DaVita, Texas Tech University Health Sciences Center, Kettering Health, Drug and Alcohol Treatment Services, Brockton Neighborhood Health Center, and Naper Grove Vision Care.

Interlock is a financially motivated cybercriminal group that uses ransomware in its attacks on Windows and Linux systems, favoring attacks in North America and Europe. The group engages in double extortion tactics, breaching networks, stealing data, and demanding payment to decrypt files and prevent the publication of the stolen data on its dark web data leak site. The group’s TTPs are constantly evolving, and several new techniques have been observed in recent weeks.

One relatively unusual technique for a ransomware group is the use of compromised legitimate websites for drive-by downloads, disguising the payload as an installer for Google Chrome, Microsoft Edge, and other popular software solutions. These attacks distribute a remote access trojan, which provides initial access. The RAT executes a PowerShell script, which establishes persistence by dropping a file into the Windows Startup Folder to ensure it runs each time the user logs in. Alternatively, a PowerShell command is used to make a run key value in the Windows Registry for persistence.

The group has also been observed using the ClickFix social engineering technique for initial access. This involves tricking individuals into executing a malicious payload by convincing them that doing so will fix a problem on their device – blocking spam emails, removing a fictitious malware infection, etc.

Once initial access has been gained, tools such as Interlock RAT and NodeSnake RAT are used for C2 communications and command execution. The group has been observed using PowerShell to download a credential stealer and keylogger to harvest credentials for lateral movement and privilege escalation. Azure Storage Explorer is used to access Azure storage accounts, AzCopy is used to upload data to the Azure storage blob, and file transfer tools such as WinSCP have also been used for data exfiltration.

The authoring agencies have made several recommendations to mitigate Interlock threat activity, which include the following:

  • Implement a domain name filtering (DNS) solution to block access to malicious websites
  • Implement a web access firewall
  • Patch promptly and keep all software and operating systems up to date
  • Train end users to spot social engineering and phishing attempts
  • Segment networks to restrict lateral movement
  • Implement robust identity, credential, and access policies
  • Implement multifactor authentication on all accounts and services as far as possible, ideally phishing-resistant multi-factor authentication.
  • Ensure backups are made of the entire organization’s data infrastructure, and that backup data is encrypted, immutable, and stored securely off-site

 

The post Feds Issue Interlock Ransomware Warning as Healthcare Attacks Spike appeared first on The HIPAA Journal.