[{"data":1,"prerenderedAt":154},["ShallowReactive",2],{"article-slug-southern-illinois-dermatology-breach-exposes-data-of-over-150000-patients":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":27,"sources":28,"events":40,"mitre_techniques":49,"mitre_mitigations":70,"d3fend_countermeasures":108,"iocs":122,"cyber_observables":123,"tags":140,"extract_datetime":146,"article_type":147,"impact_scope":148,"pub_date":32,"reading_time_minutes":153,"createdAt":146,"updatedAt":146},"f79818a9-1784-4416-b571-ce7ac26964a1","southern-illinois-dermatology-breach-exposes-data-of-over-150000-patients","Southern Illinois Dermatology Breach Exposes Data of Over 150,000 Patients","'Insomnia' Threat Group Leaks Data of 150,000+ Patients After Southern Illinois Dermatology Breach","Southern Illinois Dermatology has started notifying patients of a data breach that occurred in November 2025. An unauthorized party gained access to its network and exfiltrated files containing patient data, including names, Social Security numbers, and medical information. The 'Insomnia' threat group has claimed responsibility for the attack, alleging they stole data from over 150,000 patients. The group has since followed through on its threats by leaking the entire stolen dataset on its data leak site, amplifying the impact on affected individuals.","## Executive Summary\n\n**Southern Illinois Dermatology**, a healthcare provider, has confirmed a significant data breach stemming from a network intrusion discovered on November 28, 2025. An investigation confirmed that an unauthorized third party accessed and exfiltrated files containing a vast amount of sensitive patient data. The compromised information includes full names, Social Security numbers, dates of birth, and medical record numbers. While the provider began sending notification letters on April 2, 2026, a threat group known as **Insomnia** has publicly claimed responsibility. The group alleges it stole data belonging to over 150,000 patients and has subsequently leaked the entire dataset on its dark web leak site, posing a severe and immediate risk of fraud and identity theft to the affected individuals.\n\n---\n\n## Threat Overview\n\nThis incident is a classic example of a double-extortion attack targeting the healthcare sector. The threat group, **Insomnia**, first gained unauthorized access to the network of **Southern Illinois Dermatology**. After moving laterally and identifying valuable data, they exfiltrated large volumes of patient records. The group likely attempted to extort the healthcare provider for a ransom payment. When the provider did not pay (or negotiations failed), the attackers executed the second part of the extortion by leaking the stolen data publicly. This tactic is designed to maximize pressure on victims and inflict reputational damage, while also allowing the attackers to monetize the data through other means. The five-month gap between the discovery of the incident (November 2025) and the notification to patients (April 2026) is also a significant point of concern.\n\n---\n\n## Technical Analysis\n\nWhile the specific intrusion vector was not disclosed, attacks of this nature typically involve one of the following TTPs:\n\n- **Initial Access:** Exploitation of a vulnerability in an external-facing device (e.g., VPN, firewall) or a successful phishing attack against an employee. [`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/).\n- **Credential Access:** Use of tools like Mimikatz to dump credentials from memory to escalate privileges. [`T1003 - OS Credential Dumping`](https://attack.mitre.org/techniques/T1003/).\n- **Discovery:** Once on the network, the attackers would have used native Windows tools (`net user`, `net group`) and scanning tools to map the internal network and locate file servers or databases containing patient data. [`T1087 - Account Discovery`](https://attack.mitre.org/techniques/T1087/).\n- **Collection:** Data is typically aggregated from multiple sources and compressed into large archive files (`.zip`, `.rar`, `.7z`) in a staging area before exfiltration. [`T1560.001 - Archive via Utility`](https://attack.mitre.org/techniques/T1560/001/).\n- **Exfiltration:** [`T1048 - Exfiltration Over Alternative Protocol`](https://attack.mitre.org/techniques/T1048/): The large archive files are then uploaded to attacker-controlled infrastructure, often using legitimate cloud storage services to blend in with normal traffic.\n\n---\n\n## Impact Assessment\n\nThe impact on the over 150,000 patients is severe and long-lasting:\n\n- **Identity Theft and Fraud:** With full names, dates of birth, and Social Security numbers, criminals can open new lines of credit, file fraudulent tax returns, and commit other forms of identity theft.\n- **Medical Fraud:** Medical record numbers can be used to file fraudulent insurance claims or obtain prescription drugs.\n- **Targeted Phishing:** The leaked data enables highly convincing and personalized phishing attacks against the victims, using their personal and medical information to build trust.\n- **Regulatory and Legal Consequences:** **Southern Illinois Dermatology** faces significant regulatory scrutiny from the U.S. Department of Health and Human Services for a potential HIPAA violation. The breach will also likely result in costly class-action lawsuits from affected patients.\n- **Reputational Damage:** The public disclosure and data leak severely damage the provider's reputation and patient trust.\n\n---\n\n## Cyber Observables for Detection\n\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| command_line_pattern | `rar.exe a -hp[password] data.rar @files.txt` | Attackers often use command-line archiving tools to stage data for exfiltration. | EDR or process creation logs (Event ID 4688) on file servers. | medium |\n| network_traffic_pattern | `Large upload to Mega.nz / Dropbox / etc.` | Exfiltration is often performed by uploading large archives to cloud storage services. | Monitor for unusually large uploads from servers to consumer cloud storage domains. | high |\n| log_source | `File Share Audit Logs` | A single user account accessing an abnormally large number of files on a file server. | Enable and monitor file access auditing on Windows servers. | high |\n| threat_actor | `Insomnia` | The name of the group claiming responsibility. | Threat intelligence platforms and dark web monitoring services. | high |\n\n---\n\n## Detection & Response\n\n**Detection:**\n\n1.  **File Integrity Monitoring (FIM):** Deploy FIM on critical file servers to detect the creation of large archive files, a key indicator of data staging.\n2.  **Data Loss Prevention (DLP):** Network and endpoint DLP solutions can be configured to detect and block the unauthorized transfer of files containing large quantities of PII or PHI.\n3.  **User and Entity Behavior Analytics (UEBA):** UEBA platforms can baseline normal user and service account activity and alert on deviations, such as an account suddenly accessing thousands of patient records. [`D3-RAPA - Resource Access Pattern Analysis`](https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis).\n\n**Response:**\n\n- Upon detecting suspicious activity, the immediate priority is to contain the threat by isolating the affected servers and blocking outbound C2/exfiltration traffic.\n- Preserve forensic evidence and engage an incident response firm to determine the scope of the breach.\n- If data has been exfiltrated, legal counsel must be engaged immediately to manage breach notification obligations under HIPAA and state laws.\n\n---\n\n## Mitigation\n\n- **Network Segmentation:** [`M1030 - Network Segmentation`](https://attack.mitre.org/mitigations/M1030/): Segment the network to prevent attackers from easily moving from a compromised workstation to a critical file server containing patient data.\n- **Least Privilege Access:** Enforce the principle of least privilege. User accounts should only have access to the data they absolutely need to perform their jobs. Service accounts should have their permissions tightly restricted.\n- **Data Encryption:** [`M1041 - Encrypt Sensitive Information`](https://attack.mitre.org/mitigations/M1041/): Encrypting patient data at rest can make it unusable to attackers even if they succeed in exfiltrating it, provided the encryption keys are not also compromised.\n- **Egress Traffic Filtering:** [`M1037 - Filter Network Traffic`](https://attack.mitre.org/mitigations/M1037/): Restrict outbound traffic from servers, blocking connections to file-sharing and cloud storage sites that are not explicitly required for business operations.","🏥 Southern Illinois Dermatology notifies over 150,000 patients of a data breach. The 'Insomnia' threat group claims responsibility and has already leaked the stolen data, including SSNs and medical info. #DataBreach #HIPAA #Healthcare","The 'Insomnia' threat group has claimed responsibility for a data breach at Southern Illinois Dermatology, leaking the sensitive data of over 150,000 patients.",[13,14,15],"Data Breach","Threat Actor","Ransomware","high",[18,21,24],{"name":19,"type":20},"Southern Illinois Dermatology","company",{"name":22,"type":23},"Insomnia","threat_actor",{"name":25,"type":26},"HIPAA","technology",[],[29,35],{"url":30,"title":31,"date":32,"friendly_name":33,"website":34},"https://www.hipaajournal.com/data-breaches-reported-by-southern-illinois-dermatology-heart-south-cardiovascular-group/","Data Breaches Reported by Southern Illinois Dermatology; Heart South Cardiovascular Group - The HIPAA Journal","2026-04-08","The HIPAA Journal","hipaajournal.com",{"url":36,"title":37,"date":32,"friendly_name":38,"website":39},"https://www.jdsupra.com/legalnews/data-breach-alert-southern-illinois-6458921/","Data Breach Alert: Southern Illinois Dermatology","JD Supra","jdsupra.com",[41,44,47],{"datetime":42,"summary":43},"2025-11-28","Southern Illinois Dermatology discovers the data security incident.",{"datetime":45,"summary":46},"2026-04-02","The healthcare provider begins mailing notification letters to affected individuals.",{"datetime":32,"summary":48},"The 'Insomnia' threat group's claim of responsibility and subsequent data leak are publicly reported.",[50,54,58,62,66],{"id":51,"name":52,"tactic":53},"T1566","Phishing","Initial Access",{"id":55,"name":56,"tactic":57},"T1087","Account Discovery","Discovery",{"id":59,"name":60,"tactic":61},"T1560.001","Archive via Utility","Collection",{"id":63,"name":64,"tactic":65},"T1567.002","Exfiltration to Cloud Storage","Exfiltration",{"id":67,"name":68,"tactic":69},"T1486","Data Encrypted for Impact","Impact",[71,81,90,99],{"id":72,"name":73,"d3fend_techniques":74,"description":79,"domain":80},"M1030","Network Segmentation",[75],{"id":76,"name":77,"url":78},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering","Isolate servers containing PHI from the general corporate network to prevent lateral movement.","enterprise",{"id":82,"name":83,"d3fend_techniques":84,"description":89,"domain":80},"M1022","Restrict File and Directory Permissions",[85],{"id":86,"name":87,"url":88},"D3-LFP","Local File Permissions","https://d3fend.mitre.org/technique/d3f:LocalFilePermissions","Enforce least privilege on file shares to ensure users can only access the data they need.",{"id":91,"name":92,"d3fend_techniques":93,"description":98,"domain":80},"M1037","Filter Network Traffic",[94],{"id":95,"name":96,"url":97},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Implement egress filtering to block outbound connections from servers to unauthorized cloud storage providers.",{"id":100,"name":101,"d3fend_techniques":102,"description":107,"domain":80},"M1040","Behavior Prevention on Endpoint",[103],{"id":104,"name":105,"url":106},"D3-RAPA","Resource Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis","Use UEBA to detect anomalous data access patterns that could indicate data staging.",[109,111,116],{"technique_id":104,"technique_name":105,"url":106,"recommendation":110,"mitre_mitigation_id":100},"To detect an attack like the one on Southern Illinois Dermatology, healthcare organizations must monitor how their data is being accessed. A UEBA or similar system should be used to establish a baseline of normal access patterns for file servers and databases containing PHI. The system should alert on deviations, such as a single user account accessing thousands of patient records in an hour when they normally only access a few dozen, or a service account suddenly reading from a wide range of directories. This behavioral approach can detect the internal reconnaissance and data staging phase of an attack, providing an early warning before the data is exfiltrated. This is far more effective than trying to find a specific malware signature.",{"technique_id":112,"technique_name":113,"url":114,"recommendation":115,"mitre_mitigation_id":91},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","Data exfiltration is the key phase that turns an intrusion into a data breach. Healthcare organizations must implement strict egress filtering on their networks, especially for servers containing PHI. These servers should not have unrestricted access to the internet. Create firewall rules that block all outbound traffic by default, and only allow connections to specific, required destinations (e.g., for updates or specific business partner APIs). Critically, block all access from these servers to consumer-grade cloud storage sites (Mega, Dropbox, Google Drive) and anonymous file-sharing services. This directly disrupts the primary exfiltration vector used by groups like Insomnia, forcing them to use more complex and potentially easier-to-detect C2 channels.",{"technique_id":117,"technique_name":118,"url":119,"recommendation":120,"mitre_mitigation_id":121},"D3-DO","Decoy Object","https://d3fend.mitre.org/technique/d3f:DecoyObject","Organizations can proactively hunt for intruders by planting decoy objects. This involves creating fake files and folders on file shares that appear to contain sensitive patient data, such as 'Patient_SSN_List.xlsx' or '2025_Billing_Records.zip'. These decoy files, also known as honeyfiles, should have auditing enabled to generate a high-priority alert the moment they are accessed, modified, or copied. Since no legitimate user should ever access these files, any interaction is a very high-fidelity indicator of malicious activity. This provides an early warning that an attacker is performing reconnaissance on the network, allowing the security team to respond before the real patient data is found and exfiltrated.","M1056",[],[124,130,135],{"type":125,"value":126,"description":127,"context":128,"confidence":129},"command_line_pattern","net user /domain","Attackers use this command for reconnaissance to discover user accounts within the domain.","Monitor process creation logs (Event ID 4688) for execution of reconnaissance commands.","medium",{"type":131,"value":132,"description":133,"context":134,"confidence":16},"file_name","*.rar","Attackers frequently compress stolen data into RAR archives before exfiltration.","File integrity monitoring on servers, looking for the creation of large archive files.",{"type":136,"value":137,"description":138,"context":139,"confidence":16},"network_traffic_pattern","Outbound connection to mega.io","Attackers often use legitimate cloud storage services like Mega for data exfiltration.","Firewall or proxy logs. Block access to such sites from servers.",[141,142,143,25,144,145],"Data Leak","Double Extortion","Healthcare","PII","PHI","2026-04-08T15:00:00.000Z","NewsArticle",{"geographic_scope":149,"companies_affected":150,"industries_affected":151,"people_affected_estimate":152},"local",[19],[143],"150,000+",5,1775683841891]