The CEO of Freedman Healthcare (FHC) tells Cybernews that no client health data was compromised in a ransomware attack that made headlines on Monday – but it seems there is more to the story, as the World Leaks gang, who claimed the breach, dumps over 52 GB of sensitive data on the dark web.
The US data management software firm, which provides its technology services for more than two dozen state-run public health departments, multiple non-profit organizations, and insurance companies, was claimed by the World Leaks ransomware group on Monday.
Freedman Healthcare CEO, John Freedman, in a statement personally sent to Cybernews on Tuesday, reiterated (in bolded letters no less) that “no health data was compromised in this incident.”
The problem here is that Freedman’s declaration, while possibly true, does not account for the other 52.4 GB of sensitive data claimed by the cybercriminals – and published on the gang’s dark leak site as promised, also on Tuesday.
Leaked data contains thousands of sensitive docs
There were 42,204 files allegedly stolen in the Freedman HealthCare ransomware attack.
Cybernews was able to examine the published data, which appears to be chock-full of sensitive corporate documents and spreadsheets dating from 2021 through 2024.
The Massachusetts-based health technology firm “designs, implements, and maintains comprehensive data systems,” including payment processing, for 27 US states, including Colorado, California, Connecticut, Hawaii, North Carolina, Ohio, Rhode Island, and Tennessee.
With just 82 employees, the database and payments processing solutions firm has a revenue of $18.1M, according to the business data analytics site Owler.
Documents in the Freedman cache include annual budget reports, vendor contracts, insurance paperwork, inventory, client files – and at least one database clearly showing plaintext login credentials to FHC state client accounts, which presumably, could lead bad actors directly to clients' protected public health data.
Cybernews also saw dozens of employee files, labeled by name, filled with unencrypted copies of employee work contracts, Visa, Greencard, and RealID applications, full bank statements, employee pay stubs, tax documents, resumes, copies of college diplomas, and even employee COVID-19 test results.
All of the personally identifiable information can easily be used by cybercriminals to carry out targeted spear phishing attacks and/or identity theft.
The security incident, which happened “In late April” according to the CEO, was discovered to have only “compromised a limited portion” of the company’s IT system.
“We immediately engaged external cybersecurity experts to secure our network and perform a thorough forensic investigation,” Feeedom said.
“The investigation determined that the incident only impacted one file server and did not affect any protected health information of any of our clients,” Freedman said.
The CEO also noted that no “all-payer claims data” was affected in the attack and that the malicious files were “located and removed and systems re-secured.”
World Leaks ramps up operations
First launched in January 2025 as an “extortion-as-a-service” platform, the World Leaks group does not bother to incapacitate its victims’ systems, only focusing on the collection of sensitive data.
The operation is said to be a project started by the more well-known Hunter’s International ransomware group, looking to make an easy buck without garnering attention from authorities, according to a Group-IB report from April.
The FBI and international law enforcement had been ramping up arrests on many of the other “double extortion” ransomware cartels operating seemingly without abandon at the time.
The World Leak dark web platform shows about 22 victims since January, with about half of them located in the US.
By contrast, Hunter’s International has carried out at least 166 ransomware attacks over the past year, according to the Cybernews Ransomlooker tool.
Hunter’s International, known for high-profile attacks on ICBC London, Benetton, and Tata Technologies, had announced it was closing its operation and rebranding as the World Leak project, but it appears both operations are still continuing to carry out attacks, Group-IB said.
Your email address will not be published. Required fields are markedmarked