Grace Lutheran Communities, operating as Grace Lutheran Foundation in Wisconsin, faced a significant data breach, as reported on February 9, 2024. The breach, discovered on January 22, revealed compromised data, including patient and employee information such as names, addresses, Social Security numbers, and health insurance details. BlackCat, a threat actor, claimed to have acquired 70 GB of data, which they added to their dark web leak site on the same day as Grace Lutheran’s disclosure.
According to BlackCat’s blog post, negotiations with Grace Lutheran fell apart after the organization allegedly “refused to protect data of its employees and patients/customers.” However, a chat log obtained by DataBreaches contradicts this claim, showing Grace Lutheran agreeing to pay but requesting additional time for payment. The breach notice was posted three days after Grace Lutheran ceased communication on February 6. DataBreaches previewed the leaked data and found extensive patient records in .pdf format, clinical notes, and employee-related records.
Grace Lutheran, a HIPAA-covered entity, appears to be working with its cybersecurity firm to address and remediate the publication of the leaked data. The breach notice was updated on February 17, acknowledging the unauthorized publication of data and promising prompt contact with affected individuals. BlackCat claims the attack occurred on December 22, 2023, through phishing and social engineering, and they successfully locked the network without detection. Despite multiple attempts to contact Grace Lutheran management, there has been no response.
