The recent data breach at Legacy Treatment Services in New Jersey has brought the relatively new ransomware gang known as Interlock into the spotlight. Legacy Treatment Services confirmed that the personal and medical information of 41,826 individuals was compromised in an attack that occurred between October 6 and October 11, 2024. The data stolen is extensive and highly sensitive, including names, Social Security numbers, dates of birth, driver’s license and passport numbers, financial details like bank and credit card information, as well as a range of clinical and health insurance information. Interlock publicly took credit for the breach and, as a show of proof, posted sample images of documents they claimed were stolen, asserting they acquired a massive 170 GB of data consisting of “internal documents, patient records, and a large SQL database.”
The incident at Legacy Treatment Services is part of a broader trend of ransomware attacks targeting healthcare organizations.
This sector is a prime target for cybercriminals due to the highly sensitive and valuable nature of the data it holds, making healthcare providers more likely to pay ransoms to avoid the public release of patient information. For the victims of the Legacy breach, the compromised data is a goldmine for identity thieves and fraudsters. The stolen information—encompassing everything from personal identifiers and financial details to clinical records and prescription information—could be used to commit a variety of crimes, from opening fraudulent accounts to filing false insurance claims. Legacy Treatment Services is offering affected individuals free identity theft protection through a service called IDX, with an enrollment deadline of November 20, 2025.
Interlock is a ransomware group that first emerged in October 2024. Like many modern ransomware operations, the group employs a double extortion tactic.
This strategy involves not only encrypting a victim’s data and demanding a ransom to restore access but also exfiltrating, or stealing, a copy of the data. The group then threatens to sell or publicly release the stolen information unless a second ransom is paid. This dual threat significantly increases the pressure on the victim organization to comply with the attackers’ demands. Interlock’s business model is built on this coercion, leveraging the fear of public exposure and regulatory penalties to maximize their profits.
Since its emergence, Interlock has quickly made a name for itself, claiming responsibility for a number of high-profile attacks. The group has publicly confirmed 27 ransomware attacks and has made an additional 32 unconfirmed claims. This high volume of activity in a short period indicates a well-organized and aggressive operation. Among its confirmed targets are seven healthcare companies, including DaVita, a large kidney care provider that recently notified nearly 2.7 million people of a data breach linked to Interlock. Other victims include the city of St. Paul, Minnesota, and the Christian Brothers Academy, illustrating the group’s diverse targeting across different sectors.
The attack on Legacy Treatment Services and others by groups like Interlock highlights a critical cybersecurity issue. As organizations become more reliant on digital systems to manage sensitive data, they also become more vulnerable to sophisticated cyberattacks. These incidents underscore the need for robust security measures, including regular data backups, network segmentation, and employee training to recognize phishing attempts. The rise of groups like Interlock serves as a stark reminder that even with significant security investments, no organization is entirely immune to the evolving threat landscape. The consequences for both the organizations and the individuals whose data is compromised can be severe and long-lasting.
Reference:
