New York-based human services provider Equinox disclosed a data security breach from April 29, 2024, impacting over 21,500 individuals. The incident, later attributed to the LockBit3.0 ransomware group, involved the theft and subsequent leak of sensitive personal and health information.
Equinox, a nonprofit in New York, experienced a network breach impacting its operation systems. While the company was initially vague about the nature of the attack, they confirmed that sensitive data had been accessed or stolen. The compromised data included Social Security numbers, financial account details, passport numbers, medical diagnoses, treatment records, and prescription data.
LockBit3.0 ransom group claimed responsibility for the attack, listing Equinox on its leak site in May and releasing 31.8 GB of sensitive data in August after a ransom demand went unmet.
LockBit3.0 has been a major player in ransomware attacks, even surviving law enforcement crackdowns in early 2024. Known for targeting organizations with sensitive data, they use double extortion, demanding ransom for data decryption and preventing public leaks.
Their approach places healthcare and nonprofit sectors at higher risk, as they often lack the resources for robust cybersecurity defenses. Equinox joins a growing list of organizations targeted by LockBit, whose activities continue to expose vulnerabilities in the health industry.
Go deeper: Global law enforcement attempts takedown of LockBit ransom group
In its breach notification letter, Equinox stated, “Equinox conducted a comprehensive review of the potentially affected files, and on September 16, 2024, we determined that some individuals’ personal and/or protected information may have been affected as a result of this incident.”
The healthcare industry has become a primary target for ransomware groups like LockBit3.0. Their persistence demonstrates that even organizations serving vulnerable populations are not immune to sophisticated cyberattacks.
Ransomware attacks like the Equinox breach show that organizations handling sensitive data must improve their cybersecurity. More specifically, organizations must uphold data protection standards, employ encryption, and limit data retention to reduce the impact of future attacks.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under US law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.