KillSec Ransomware claimed responsibility for a cyberattack on MedicSolution, a software solutions provider for the healthcare industry in Brazil.
The KillSec Ransomware group has threatened to leak sensitive data unless negotiations are initiated promptly. According to threat intelligence reporting by Resecurity, the root cause of the incident – data exfiltration from insecure AWS S3 bucket. Considering the investigation performed by cybersecurity experts, the window of exposure can be estimated at ‘several months.’ Probably, this is the first notable supply chain incident affecting the healthcare industry in Brazil.
Notably, it is not the first time the ransomware group has targeted Brazil. Some time ago, the actors leaked personal and business data containing CNPJ/CPF identifiers, transaction amounts, banking information, and other data from government resources in Brazil. At that time, the group did not clarify the full scope of the breach or its possible source. KillSec Ransomware was known for both confirmed incidents and fakes or speculations.
Unfortunately, this time KillSec Ransomware hit Brazil hard. Stolen healthcare data contain sensitive laboratory results reports, medical assessments, and other privacy-sensitive information. Resecurity identified several patients and contacted them – none of whom was aware of this incident as of today. Cybercriminals use stolen data from healthcare institutions for extortion, understanding that it will cause significant damage not only to the victim organization but also to its end customers, given that numerous patients do not expect their information to be published online.
The total volume of stolen data exceeds 34 GB, containing over 94,818 files. The compromised data include:
- Medical evaluations
- Medical lab results
- X-rays
- Unredacted patient pictures, including those showing body parts
- Records related to minors
Notably, KillSec ransomware actors also targeted healthcare institutions in Colombia, Peru, and the United States a few days before Brazil. Such timing demonstrates the increasing interest of cybercriminals in the healthcare field.
Two days ago, actors announced the successful compromise of several notable healthcare organizations:
- Archer Health (USA)
- Suiza Lab (Peru)
- GoTelemedicina (Colombia)
- eMedicoERP (Colombia)
One month ago, the actors leaked data from Doctocliq, a prominent healthcare software platform in Peru that serves over 3,500 doctors across more than 20 countries. In the past, the group also targeted the Royal Saudi Air Force (RSAF) and released several new leaks from sectors outside healthcare, including the compromise of Nathan and Nathan (UAE), an HR, staffing, and technology solutions provider, as well as Ava Senior Connect (USA), a communication platform designed for senior living communities.
Based on Resecurity’s analysis, KillSec Ransomware has found a sweet spot targeting healthcare organizations. Healthcare organizations store vast amounts of sensitive and valuable data, including personal identification, medical histories, insurance details, and payment information.
The litigation and enforcement landscape for data breaches in Brazil’s healthcare sector is shaped primarily by the Lei Geral de Proteção de Dados (LGPD), Brazil’s General Data Protection Law, which came into full effect in 2020. The LGPD applies to all organizations processing personal data in Brazil, with health data classified as “sensitive personal data” and subject to heightened protection and stricter processing requirements. The main regulatory authority for data protection enforcement is the Autoridade Nacional de Proteção de Dados (ANPD), which oversees LGPD compliance, investigates breaches, and imposes sanctions.
The ANPD fined 15 healthcare institutions a total of BRL 12 million (~$2.4 million USD) for lacking encryption and breach response plans as a result of the 2024 Healthcare Sector Audit. Additional corrective measures included mandatory penetration testing and staff training. Since 2023, the ANPD has imposed over BRL 98 million (~$20 million USD) in fines across all sectors, with healthcare representing a significant portion due to repeated vulnerabilities and sector-wide audits.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, KillSec Ransomware)
