Fredericksburg Foot & Ankle Cente reports data breach half a year later

The Fredericksburg Foot & Ankle Center (FFAC) located in Virginia started the process of sending out notification letters to nearly 15,000 of its patients on 24th of October. This notification was sent to notify of a cyber intrusion that impacted their computer systems.

The communication to the patients briefly mentioned an "unauthorized person" accessing their computer infrastructure but does not disclose details of nature of the attack.

The compromised patient data might encompass a range of details like

• names,
• addresses,
• Social Security numbers,
• clinical records,
• insurance information,

with the specific data varying for each individual.

Per the notification, the incident took place on April 21.The reasons for the considerable time gap between the incident and the notification remain unexplained. The legal representatives of FFAC informed regulators on 5th of September.

Funny enough, LockBit3.0, has included FFAC on its leak site from 7th of June, which means the public was aware but the patients and regulators were kept in the dark by the company.

Even though LockBit3.0 had set a deadline in June for a ransom payment, they did not release the data at that time. However, a day after FFAC made a formal notification on their website and communicated the incident to Maine, LockBit3.0 reacted by releasing what they claimed to be 1.6 terabytes of FFAC's data. This means that FFAC probably negotiated to pay a ransom, but ultimately negotiations broke down.