The cybercriminal group KillSec has issued a serious threat against the Mexican company Medical File, specialized in managing clinical records. Through its website on the dark web, the group claimed it would publish more than 600,000 medical records if the company does not pay a ransom to prevent a breach that would affect thousands of Mexicans. KillSec claimed to have extracted 519 GB of confidential information, including more than half a million files containing clinical histories, laboratory results, medical prescriptions, ultrasounds, and other sensitive documents.
As proof of the authenticity of its threat, KillSec shared a sample of 1,749 documents weighing a total of 659 MB. This sample has already been downloaded at least eight times, which means it is very likely that the partial information is already circulating in black markets. The sample files contain data from at least 486 patients, including their age, full name, address, type of exams performed, and even information about the treating physicians.
The leaked documents include a wide range of sensitive data ranging from test results to complete patient histories. In the sample shared by KillSec, blood analyses, urine tests, medical diagnoses, imaging studies such as ultrasounds and electrocardiograms, as well as prescriptions issued by various specialists were found. Each of these documents is linked to the patient's personal information, such as full name, age, address, and file number.
According to cybersecurity experts, the leak could lead to risks of fraud and identity theft, extortion and blackmail, as well as damage to the reputation of the company and the healthcare sector in general. Trust in the protection of medical data could be severely affected, generating doubts about the security of digital health systems in Mexico.
Cybersecurity researcher JayeLTee confirmed that the exposed information comes from an unprotected server of Medical File, rather than a traditional ransomware attack. KillSec typically uses this technique to access vulnerable data and then extort companies to prevent its publication, even though the information is already accessible to anyone who finds it.
KillSec has previously been identified as an actor on the dark web specializing in extorting companies by exposing unprotected data. Unlike traditional ransomware attacks, this group accesses poorly configured servers and extracts data without the need to encrypt it. This could result in an additional vulnerability for healthcare professionals, who could be targets of directed attacks or fraud related to their professional practice.
The director of Nico Tech Tips and cybersecurity analyst, Nicolás Azuara, warned about the seriousness of the incident: "Medical records are sensitive data, and in an ideal scenario, the files should be encrypted in such a way that only authorized personnel could access them."
