Snatch ransomware team adds health insurer victim to their leak site

CareFirst CHP of DC logoIn April, CareFirst BlueCross Blue Shield  posted a notice on its website concerning a ransomware attack in January. The health plan’s announcement reports that the preliminary assessments suggested that:


the attack was limited to CHPDC. Early analysis also indicates that members of other CareFirst BlueCross BlueShield companies, the Federal Employees Program (FEP) and Federal Employees Health Benefits Plan (FEHBP) were not affected by this attack.

At the time, The Hill provided additional details about notifications to plan members.

Since then, however, there has not been any updated notice on CareFirst’s website. sent an email inquiry to CareFirst seeking clarification of some issues but received no reply by publication time. But while there is much we still do not know, we have learned that Snatch Team has some involvement with the data.

Threat actors known as Snatch added CareFirst to their dark web leak site this week, claiming that 258 GB of data was exfiltrated.  The proof of claim files include half a dozen files with what appears to be protected health information. Some of the files posted seem to relate to Michigan residents and Harbor Health Plan in Michigan. In an email to, a spokesperson stated that they were not responsible for the attack.

Snatch Lists CareFirst

If CareFirst provides some answers, this post will be updated.


A paragraph concerning notification to HHS was removed post-publication. The incident was reported to HHS on March 26, 2021 as impacting 200,665 members. It was reported under the name Trusted Health Plans, Inc.

Post-publication, Snatch Team informed that they were not responsible for the attack on CareFirst so the statements attributing the breach to them have been edited to reflect that they listed the data on their site but stated that they were not responsible for the attack.

About the author: Dissent

Comments are closed.