10 March 2023

7 min read

Healthcare data of US Congress members sold on dark web | Cyber Intelligence Briefing: 10 March

March 2023
Cyber Intelligence Briefing | 10 March 2023


Top news stories this week

  1. Code red. US Congress members’ data sold on dark web following breach at insurance marketplace.
  2. A new low. Ransomware groups release photos of cancer victims and student data.
  3. Cold calling. Thousands scammed by artificial intelligence voice technology.
  4. Delicate operation. Barcelona hospital targeted by cyber attack.
  5. Emotet returns. New campaign sends fake invoices as replies to existing email chains.
  6. Gotcha! German and Ukrainian police arrest DoppelPaymer ransomware group members.
  7. Stuffed chicken. Chick-fil-A suffers automated credential stuffing attack.


1. Healthcare data of US Congress members sold on dark web

An online forum allegedly sold healthcare records of US Congress members, their families, and dependents, following a breach at DC Health Link insurance marketplace. The leak included 170,000 customers' healthcare records, containing social security numbers, employer names, and contact details.

Although IntelBroker, the initial seller of the data, is understood to be financially motivated, the buyer is unknown. The sensitive nature of the data has raised national security concerns.

So what?

Depending on the sensitivity of any breached data, individuals should consider ongoing credit monitoring to mitigate the risk of impersonation by malicious actors. 



2. Ransomware gangs use new extortion technique

Ransomware gang ALPHV, also known as BlackCat, has published clinical photos of breast cancer patients on their leak site. They described the images as “nude photos” in a bid to pressure Lehigh Valley Health Network into paying the ransom.

Separately, the Medusa ransomware group released a video showing data stolen from Minneapolis Public School District, which included students’ grades and payroll information.

So what?

Threat actors continue to seek new methods to pressure victims. Conducting a ransomware readiness assessment can build resilience and improve preparedness. 



3. Threat actors trick victims with AI-generated telephone calls

AI-powered voice simulating technology is now being utilised by threat actors to deceive victims into paying them money by impersonating their loved ones in distress over phone calls. The US lost USD 11 million to such scams in 2022.

So what?

Individuals should be cautious when answering calls from unknown numbers, especially when a demand is being made. If demands of this nature are made, the individual should always verify the claims by contacting the suspected victim through another communication channel.



4. Operations cancelled after Barcelona hospital cyber attack

A cyber attack on the Clinic de Barcelona has led to the shutdown of the facility's clinics, laboratories, and main computer systems. The incident also forced the cancellation of 150 nonurgent operations and 3,000 routine checkups. The hospital is working to restore its systems and has assured that no patient data was compromised or stolen.

So what?

Healthcare providers should ensure they have a documented and tested business continuity plans in place to avoid major disruption to patient care in the case of a cyber attack. 



Cyber Security Insights Report


5. New Emotet email campaign 

After a three-month hiatus, the Emotet malware operation has returned with a new email campaign using fake invoices as a lure, sent as a reply to an existing email chain. Emotet can steal a victim's emails and contacts or download further payloads such as ransomware.

So what?

The malicious payloads are designed to evade detection by antivirus solutions. Never open unexpected attachments on emails and seek confirmation from the sender if in doubt.



6. German and Ukrainian police arrest ransomware group members 

The German and Ukrainian Police have arrested two individuals suspected of playing key roles in the DoppelPaymer ransomware group. The group extorted USD 30 million in ransom payments between 2019 and 2021.

So what?

Recent international law enforcement operations have disrupted ransomware operations, but threat actors are resilient. Backing up critical data, keeping systems updated with latest security, and implementing endpoint protection measures remain important when addressing the risks that ransomware poses.



7. Chick-fil-A confirms compromise of 71,000 customer accounts

The American fast food chain Chick-fil-A has confirmed the compromise of 71,000 customer accounts through an automated 'credential stuffing attack', allowing the threat actor to access funds and personal information. The compromised accounts were sold online based on their balance.

Separately, a lawsuit has been filed against PayPal for a data breach in December 2022 that resulted from a ‘credential stuffing’ attack.

So what?

Organisations must enforce a password policy that requires strong, unique passwords with timely rotation and multi-factor authentication. Financial transactions should also be monitored for suspicious activity.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.