Another day, another grim reminder of the relentless cyber threats lurking in the digital shadows. This time, it’s a double whammy: Cierant Corporation, a marketing software and services company, and Zumpano Patricios, a prominent law firm, have both independently disclosed massive data breaches, each impacting over 200,000 individuals.
These disclosures, flagged recently by the eagle eyes of the US Department of Health and Human Services (HHS) data breach tracker, underscore a worrying trend: sensitive personal and health information continues to be a prime target for cybercriminals. While the circumstances of each incident differ, their significant scale serves as a loud alarm for businesses and individuals alike. Let’s break down what happened and what these incidents tell us about the evolving landscape of digital security.
Breach #1: Zumpano Patricios – Law Firms Under Fire
First up, the law firm Zumpano Patricios, with offices across major US cities, reported an intrusion into its IT network on May 6, 2025. While they couldn’t pinpoint the exact start of the breach, their investigation revealed a troubling truth: hackers accessed and potentially exfiltrated files containing highly sensitive information for nearly 280,000 individuals.
Given that Zumpano Patricios represents healthcare providers in disputes with health insurance companies, the compromised data is particularly concerning. It includes:
- Patient names and dates of birth
- Social Security numbers (SSNs)
- Provider names and health insurer information
- Dates of service and amounts charged/received for medical services
It’s currently unclear if this was a ransomware attack – no known threat group has publicly claimed responsibility. This incident highlights a growing vulnerability for professional services firms, especially those in the legal and healthcare sectors, which often handle vast quantities of highly confidential personal and health information. Their networks can be just as appealing to cybercriminals as those of major corporations.
Breach #2: Cierant Corporation – Cl0p Strikes Again Via Supply Chain
The second major breach involves Cierant Corporation, impacting over 232,000 people. This incident traces back to late 2024, when the notorious Cl0p ransomware group exploited vulnerabilities in Cleo file transfer products. Cierant, which used Cleo’s VLTrader tool, found itself caught in Cl0p’s widespread campaign.
Cl0p is well-known for leveraging zero-day vulnerabilities in popular file transfer software for large-scale data exfiltration, as seen previously with their devastating attacks on MOVEit Transfer and GoAnywhere MFT users. In this case, Cierant’s compromised files contained personal and health data processed on behalf of third-party health plans, including:
- Names, addresses, and dates of birth
- Treatment-related dates and generic descriptions of services received
- Provider names, medical record numbers, and health plan beneficiary numbers
- Claims numbers and premium information
Cierant was listed on Cl0p’s dark web leak site in early February 2025. While Cl0p claimed to have made the stolen files public, specific verification of that claim remains elusive. This incident serves as a stark reminder of supply chain attacks – where a vulnerability in one widely used software (like Cleo’s) can ripple through dozens, even hundreds, of downstream organizations.
Why These Breaches Matter (Beyond the Numbers)
These incidents, revealing hundreds of thousands of impacted individuals, are part of a larger, alarming trend in cybersecurity:
- Healthcare Data as Gold: The sheer volume of Protected Health Information (PHI) and Personally Identifiable Information (PII) exposed across both breaches underscores the continued high value of healthcare data on the black market. This information can be used for sophisticated identity theft, medical fraud, and targeted phishing attacks.
- The Rise of Data Exfiltration: While the Zumpano Patricios breach isn’t confirmed as ransomware, the Cierant case with Cl0p highlights a persistent strategy: attackers are often more interested in stealing data for extortion or sale than just encrypting it. This shifts the focus from recovery (decrypting files) to damage control (preventing sensitive data from being abused).
- Third-Party and Supply Chain Risk: The Cierant breach is a prime example of why managing third-party vendor risk is non-negotiable. Even if your internal security is robust, a flaw in a software or service you rely on can open the door to devastating compromise. Organizations need robust vendor risk management programs.
- Regulatory Scrutiny: The fact that these breaches are tracked by the HHS indicates potential HIPAA violations and significant regulatory fines. This adds another layer of consequence for organizations that fail to adequately protect sensitive data. Law firms are already initiating class-action lawsuits related to these breaches, indicating severe legal repercussions.
These incidents are a sobering reminder that cybersecurity is not just an IT department’s problem; it’s an organizational imperative. For individuals, vigilance is key: monitor your credit reports, be wary of suspicious communications, and consider identity theft protection services. For businesses, the message is clear: prioritize robust security, especially for third-party tools, and prepare for the inevitable – because it’s no longer a matter of if you’ll face a cyber incident, but when.
Have you or your organization ever been impacted by a third-party data breach? What steps did you take? Share your experiences and advice in the comments below!
