Access to employees’ email accounts, and then pivoted to specifically target login information related to the processing of reimbursement payments to insurance companies, medicare, or similar entities.
To gain initial access to victim networks, the threat actor acquired credentials through social engineering or phishing. In some observed instances, the threat actor called an organization’s IT Help Desk posing as an employee of the organization, and triggered a password reset for the targeted employee’s organizational account [T1566.004]. In some instances, by manipulating the IT Help Desk employees, the threat actor was able to bypass multifactor authentication (MFA) [T1556.006]. In another instance, the threat actors registered a phishing domain [T1556.001] that varied by one character from the target organization’s true domain, and targeted the organization’s Chief Financial Officer (CFO) [TA1656].
Read more…
Source: U.S. Federal Bureau of Investigation Cyber Division
Related:
- Attackers used social engineering to access third-party business apps and steal patient information
June 16, 2026
Heart monitoring biz iRhythm says thieves made off with patient health information and tried to turn it into a payday. The California-based cardiac monitoring specialist offers customers a wearable device that collects data, then analyzes it to create reports about heart health. The company said it detected unauthorized activity on June 8 and launched an investigation ...
- Public and Private Medical Community Targeted by China-Nexus Threat Actor
June 15, 2026
Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People’s Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community. While remaining undetected for over a year, the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal ...
- Qilin NHS breach tally grows as Essex trust confirms stolen records
June 9, 2026
The patient tally from the Synnovis ransomware attack continues to grow two years later, with Mid and South Essex NHS Foundation Trust confirming it was caught up in the breach. The trust told The Register that the Synnovis breach affected about 2,380 records relating to patients who underwent specialist diagnostic testing. The disclosure follows a similar announcement by Bedfordshire ...
- NYC Health + Hospitals says hackers stole medical data affecting at least 1.8m people
May 18, 2026
New York public health provider NYC Health + Hospitals says a months-long data breach that allowed hackers to steal personal data, medical records, and fingerprints scans affects at least 1.8 million people. NYCHHC is the largest public health system in the United States and provides healthcare to over a million New Yorkers, the majority of whom are uninsured or ...
- Medtronic says ShinyHunters hackers stole around 9 million medical records in latest attack
April 28, 2026
Medtronic, one of the biggest medical device manufacturers in the world, has confirmed suffering a cyberattack in which crooks “accessed data in certain Medtronic corporate IT systems.” In a security notification published on its website, Medtronic said the attack does not affect its customers or products, and also stressed it will continue operating as usual, without ...
- Stolen medical data from 500,000 UK volunteers advertised for sale on a Chinese website
April 23, 2026
Health information belonging to 500,000 people in the United Kingdom has been stolen and offered for sale on the Chinese website Alibaba, the UK’s technology minister Ian Murray has confirmed. The medical data comes from participants of UK Biobank, the world’s most comprehensive dataset of biological, health, and lifestyle information, compiled from volunteers and used by ...