Grace Lutheran Foundation, doing business in Wisconsin as Grace Lutheran Communities, provides a variety of services including rehabilitation services, assisted living, skilled nursing, independent living, adult day services, and child care. On February 9, they posted a notification regarding a data breach discovered on January 22, 2024. They stressed that there was no indication of any data misuse, but also said that ongoing investigations had already revealed that patient information was involved. Name, address, social security number, and health insurance information.
On the same day it posted the notice, BlackCat added Grace Lutheran to its Dark Web leak site.
According to BlackCat’s blog post, they obtained 70 GB of data, but reportedly after weeks of negotiations, Grace Lutheran Communities “unfortunately refused to protect employee and patient/customer data. That’s why these data are now freely available to the public.”
Black Cat’s depiction of Grace Lutheran as “refusing to protect” is misleading. There is no indication in the chat logs, which she provided to DataBreaches with the understanding that they would not be directly published or quoted, that Grace Lutheran refused the payment. It showed that they agreed to pay but asked for more time to make the payment and then negotiations broke down.
Grace Lutheran stopped responding on February 6 and posted a violation notice three days later.
DataBreaches was also given access to preview the data breach. As BlackCat claims, it appears that personal and confidential information of both employees and residents/patients is involved. Many files included the patient name and date as part of the file name.
DataBreaches skimmed the files within the tranche and discovered clinical notes and complete records in .pdf format regarding the named patients. For some patients, medical records can be hundreds of pages in .pdf format and contain personal and protected health information. Other patient files were more concise records. Employee-related records were also found in the tranche.
DataBreaches sent an inquiry to Grace Lutheran on February 17th. Although no response was received, it appears that the security incident notification has been quietly updated to include the following:
On February 17, 2024, we became aware that an unauthorized attacker had published data related to the incident that may have included personal information of Grace Lutheran Church employees and residents. We are working with cybersecurity companies to address and remediate this data exposure. We will promptly contact individuals affected by this or any future disclosure of confidential information by such actors.
Based on the information on its website, Grace Lutheran appears to be a HIPAA covered entity. The report has not been posted to HHS at this time, but HHS still expects to notify within 60 days. According to a BlackCat spokesperson, the attack occurred on December 22, and access was gained through phishing and social engineering. DataBreaches could not independently confirm that claim, nor could it describe BlackCat’s security as “like breakfast to us.” In response to questions from DataBreaches, a spokesperson claimed they had successfully locked down the network without being detected. He said, “I have reached out to several top-level employees to speak with them. For internal reasons within our organization, patients and employees have not yet been notified.”
One of the questions DataBreaches posed to BlackCat was whether it regretted not accepting Grace Lutheran’s offer during negotiations.
“The amount requested was based on the company’s financial documents. I don’t know if their purpose was to delay the negotiation process, but they definitely took the time to answer all the questions. “This is not acceptable in cases like this,” the spokesperson said. The price was originally set at $750,000, a spokeswoman said. When Grace offered him $435,000, Black Cat asked for another $100,000. Some more negotiations followed, and it was repeatedly mentioned that more time was needed. And Grace Lutheran stopped responding.
A BlackCat spokesperson told DataBreaches that they emailed Grace Lutheran’s management again but did not receive a response.
