Microsoft Seizes Sites Used by Popular Phishing Operation to Attack Healthcare Orgs

Posted by Steve Alder

Microsoft has announced the seizure of hundreds of websites used by a popular phishing-as-a-service (PhaaS) operation that targets Microsoft 365 credentials. The operation’s phishing kits have been used to steal at least 5,000 usernames and passwords, including the Microsoft 365 credentials of at least 20 U.S. healthcare organizations.

According to the Microsoft Digital Crimes Unit (DCU), RaccoonO365 is the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords. The PhaaS operation provides subscription-based phishing kits, which generate phishing emails mimicking official communications from Microsoft. The emails direct victims to websites that trick victims into disclosing their Microsoft 365 credentials. The phishing kits lower the barrier to conducting phishing campaigns and can be used by even low-skilled individuals to steal credentials.

RaccoonO365 has been offering phishing kits to cybercriminals since at least July 2024. Subscribers are able to use the infrastructure to send up to 9,000 phishing emails per day. A 30-day subscription costs less than $12 per day, and under $10 per day for a 60-day subscription. The phishing kits utilize sophisticated techniques to steal credentials and bypass multi-factor authentication. Recently, RaccoonO365 added a new service that utilizes AI to scale operations and increase the sophistication and effectiveness of phishing campaigns.

The stolen credentials can provide access to accounts and sensitive data; however, they are commonly used to gain a foothold to launch more comprehensive attacks on victims, often leading to malware and ransomware downloads. The attacks have resulted in significant financial losses for healthcare providers and have disrupted critical patient care, putting patients at risk of harm. In addition to the attacks on healthcare organizations, RaccoonO365’s phishing kits were used for an extensive tax-themed phishing campaign that targeted more than 2,300 U.S. organizations worldwide.

MCU identified the leader of the operation, Joshua Ogundipe, who resides in Benin City in Nigeria. Ogundipe has a background in computer programming and is believed to have authored the bulk of the code for the phishing kits. Ogundipe was identified following a security lapse, which allowed MCU to identify a secret cryptocurrency wallet used by Ogundipe. Ogundipe, along with his associates, marketed and sold the RaccoonO365 phishing kits on Telegram and collected more than $100,000 in subscription payments. MCU estimates that between 100 and 200 subscriptions were sold, although that range is likely to be underestimated. Based on that range, subscribers could send between 900,000 and 1.8 million phishing emails per day. MCU’s intelligence has been shared with international law enforcement

Microsoft and Health-ISAC filed a lawsuit in the U.S. District Court for the Southern District of New York against Ogundipe and four John Doe conspirators seeking recovery of damages and the seizure of domains used by the operation. The allegations against the defendants include violations of the Computer Fraud and Abuse Act, Racketeer Influenced and Corrupt Organizations (RICO) Act, and the Electronic Communications Privacy Act.

The DCU investigation identified 338 sites used by the operation, which were seized after a court order was granted. Cloudflare assisted with the seizure of the domains. The domain seizures have caused considerable disruption to RaccoonO365’s operation. “To counter RaccoonO365, we acted swiftly to protect our customers and prevent further harm. But criminals constantly evolve, so Microsoft is evolving too,” explained Steven Masada, Assistant General Counsel and Director of Microsoft’s Digital Crimes Unit. “For instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations. These help us trace criminals’ cryptocurrency transactions, linking online activity to real identities for stronger evidence.

The post Microsoft Seizes Sites Used by Popular Phishing Operation to Attack Healthcare Orgs appeared first on The HIPAA Journal.

Columbia University Health Care to Pay $600,000 to Settle Data Breach Lawsuit

Posted by Steve Alder

Columbia University Health Care (CUHC) has agreed to pay $600,000 to settle a class action lawsuit over a cybersecurity incident that affected 29,629 current or former patients. The data breach in question occurred between September 11, 2023, and March 7, 2024, when cybercriminals had access to an Internet-accessible platform used by Columbia University Irving Medical Center, the academic medical center of Columbia University, and the largest campus of New York-Presbyterian Hospital. Columbia University and New York-Presbyterian participate in an Organized Health Care Arrangement. The hackers were able to access sensitive healthcare information, including names, medical record numbers, dates of birth, provider names, and a single laboratory test result. Notification letters were mailed to the affected individuals in May 2024.

In July 2024, a lawsuit was filed against New York-Presbyterian Columbia University Irving Medical Center by Juanita Huggins, and a second lawsuit was filed in October 2024 by Margaret Nemeth. The defendant, New York-Presbyterian Hospital, was dismissed, and the litigation continued as Margaret Nemeth, et al. vs. Columbia University Health Care, Inc., in the Supreme Court of the State of New York, County of New York

The lawsuit alleged that CUHC failed to implement and maintain adequate security measures to protect the private information of patients in its possession and should have prevented the data breach. CUHC disagrees with the claims and contentions in the lawsuit and maintains there was no wrongdoing. Following mediation on April 18, 2025, the material terms of a settlement were agreed upon, and the settlement agreement has received preliminary approval from the court.

Under the terms of the settlement, CUHC has agreed to establish a $600,000 settlement fund, which will be used to cover attorneys’ fees and expenses, service awards for the class representatives, settlement administration costs, and benefits for the class members. All class members are entitled to claim a two-year subscription to the CyEx Medical Shield Complete service, which includes single-bureau credit monitoring, dark web monitoring, Medicare beneficiary monitoring, medical record number monitoring, health savings account monitoring, national provider identifier monitoring, high-risk transaction monitoring, security freeze assistance, and victim assistance services.

Class members may also submit a claim for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $10,000 per class member. In addition, class members may claim a pro rata cash payment, which will be paid after all costs, expenses, claims, and credit monitoring costs have been deducted from the settlement fund. The deadline for exclusion from and objection to the settlement is October 27, 2025. All claims must be submitted by November 25, 2025, and the final fairness hearing has been scheduled for December 5, 2025. Further information is available on the settlement website: https://columbiahealthcaredatabreach.com/

The post Columbia University Health Care to Pay $600,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

New Jersey Medical Groups Warn Patients About Data Breach

Posted by Steve Alder

Two New Jersey medical groups have notified patients that their data may have been compromised in a recent security incident. Family & Community Services in Ohio is investigating a cyberattack that exposed patient data.

Passaic Hospitalist Services/ Passaic River Physicians, New Jersey

Legal counsel for two New Jersey medical groups has notified patients of the medical groups Passaic Hospitalist Services and Passaic River Physicians that some of their protected health information has potentially been stolen in a recent data security incident.

Suspicious activity was identified within its computer systems, and an investigation was launched to determine the cause of the activity, which revealed unauthorized access and acquisition of files from certain systems between May 22 and May 23, 2025. A review was conducted of all files on the compromised parts of the network, and it was determined on September 11, 2025, that protected health information was involved, including names, dates of birth, addresses, diagnosis information, provider names, dates of service, treatment information, and/or health insurance information.

Notification letters are now being mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Family & Community Services, Ohio

Family & Community Services Inc., a social services organization in Ravenna, Ohio, has recently written to its clients to inform them about the potential theft of some of their personal data. On May 22, 2025, Family & Community Services identified activity within its computer systems indicative of unauthorized access. Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to its computer systems.

The investigation and data review are ongoing, and Family & Community Services has not yet determined the number of individuals affected or the exact types of data involved. Notification letters will be mailed to the affected individuals when the file review is completed. The letters will detail the types of data involved. In the meantime, clients have been advised to remain vigilant against incidents of identity theft and fraud. Family & Community Services said it restored operations in a safe and secure manner, and steps have been taken to enhance security. Those measures include hardening remote entry points, which indicates the likely initial access vector in the incident.  Steps have also been taken to strengthen access controls.

The post New Jersey Medical Groups Warn Patients About Data Breach appeared first on The HIPAA Journal.

Goshen Medical Center Notifies 456,000 Individuals About Hacking Incident

Posted by Steve Alder

Goshen Medical Center, a federally qualified healthcare organization serving patients in eastern North Carolina, is notifying 456,385 individuals about a recent security incident that exposed some of their personal and protected health information. Suspicious activity was identified within its computer systems on March 4, 2025. Third-party cybersecurity specialists were engaged to investigate the activity and confirmed that an unauthorized third party had access to its network, and files containing sensitive patient data may have been viewed or acquired on February 15, 2025.

A comprehensive review was conducted of the exposed files, and on September 12, 2025, Goshen Medical Center confirmed that the files contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical record numbers. Goshen Medical Center has implemented additional safeguards to prevent similar incidents in the future and has offered the affected individuals up to 24 months of complimentary credit monitoring and identity theft protection services.

Survival Flight

Survival Flight, an Arkansas-based rapid response air & ground emergency medical service provider, experienced a cybersecurity incident on July 17, 2025, that impacted its IT systems. In an August 12, 2025, website notice, Survival Flight explained that it is currently working to determine the full extent to which patient information has been compromised, although it has been confirmed that information such as names, addresses, treatment information, and health insurance information was likely compromised in the incident.

When the review of the affected data is completed, notification letters will be mailed, and resources will be provided to help the affected patients protect their information. At the time of publishing the website notification, no misuse of patient data had been identified. Survival Flight has confirmed that it has taken steps to improve security to prevent similar breaches in the future. While the name of the threat group behind the attack was not disclosed in the notice, the Worldleaks ransomware group (formerly Hunters International) claimed responsibility for the attack and added Survival Leak to its dark web data leak site. Worldleaks claims to have leaked the full 2.8 TB of data stolen in the attack.

The post Goshen Medical Center Notifies 456,000 Individuals About Hacking Incident appeared first on The HIPAA Journal.