Forefront Dermatology notifying patients and employees about ransomware incident

Update November 17, 2022:  Forefront has reportedly settled a class action lawsuit for $3.75 million.

Update: July 12, 2021: Post-publication, learned that external counsel for Forefront Management, LLC and Forefront Dermatology, S.C. reported the incident to the Maine Attorney General’s Office as impacting 4,431 patients.  On July 14, however, this incident was added to HHS’s public breach tool as impacting 2,413,553 patients. Original post follows….

Wisconsin- headquartered Forefront Dermatology issued a press release yesterday afternoon about a ransomware attack that began in May.

Forefront has multiple locations
Forefront Dermatology advertises that it has more than 175 locations and more than 195 board-certified dermatologists.

In their press release, Forefront reports that they had identified an intrusion into their system on June 4, and promptly took their system offline to prevent further spread or damage.

Subsequent investigation revealed that there had been unauthorized access to some of its patient files and employee files between the dates of May 28, 2021 and June 4, 2021. The patient files that were accessed may have included  patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, accession numbers, provider names, and/or medical and clinical treatment information.

“There is no evidence that patient Social Security numbers, driver’s license numbers, or financial account / payment card information were involved in this incident,” they write.

Because Forefront’s investigation could not conclusively determine all the patients and employees whose files may have been involved, they are also notifying patients whose information may have been involved.

Forefront has established a dedicated, toll-free call center to help answer patient questions. Additional information is available at or by calling Forefront Dermatology’s dedicated, toll-free incident response line at 855-899-4166, Monday through Friday, between 8:00am to 8:00pm, Central Time.

Forefront’s release does not mention any specific ransom demand or whether they negotiated at all with the threat actors.  As of today, however, some of Forefront Dermatology’s files remain  freely available on the Cuba Ransomware leak site.


Cuba Ransomware

Although not revealed in their disclosure, the attack was the work of threat actors calling themselves “Cuba Ransomware” (some details on Cuba ransomware can be found here).The threat actors dumped some of Forefront’s data at the end of June.

Cuba Ransomware Victim
The threat actors did not indicate how much data they had exfiltrated.

The June data dump did not include a tremendous amount of patient records, although it did include some patient information. The dump was only about 47 MB, but what it did include was more than 130 files with information on the entity’s system and network, with security and backup details, and all their logins to health insurance portals, etc.

Hopefully, Forefront has notified all of the insurers whose portals they use that their login credentials were compromised.  A passwords file in the dump listed more than 100 sets of logins. Sadly, there was what appeared to be a lot of weak password and extensive password reuse. More than 40 passwords had “Forefront” in combination with some digit(s) and an exclamation point. Another 10 had some variant of DAWderm1!

Passwords and email addresses with security quesions used for one insurer’s portal revealed significant re-use. emailed their IT person to ask them some questions. In that July 4 email, I noted that I would be reporting on this breach and that I hope they had changed all their passwords.  I got no reply. That was actually the third email I had sent to Forefront seeking information or a statement. There was no reply to any of them. has been trying — unsuccessfully so far — to reach the threat actors to ask them if they would reveal whether they got patient data and employee data, and if so, how much.

Bad Timing?

There is never a good time for a breach, but this may be particularly bad timing. In researching this incident, discovered articles on PE Hub dated June 30 and July 1 about how OMERS was reportedly preparing Forefront Dermatology for sale.

OMERS did not respond to three email inquiries about the breach or its potential impact on any sale.

Will the breach deter any buyers or will it result in the seller reducing the price of sale? has no idea, but if the entity doesn’t know for sure how much PII and PHI the attacker(s) actually acquired, then what impact might that have?


About the author: Dissent

Comments are closed.