Cloak Ransomware Exfiltrates 100 GB from St. James Place; Review Takes 19 Months

Context St. James Place, a continuing‑care retirement community in Baton Rouge, discovered a network disruption on 2 August 2024. The facility serves seniors and stores extensive personal and protected health information (PHI). After the incident, the operator engaged independent forensic experts and reported the breach to the Massachusetts Office of Consumer Affairs and Business Regulation on 17 December 2024.

Key Facts - Unauthorized access spanned 30 July to 2 August 2024, a four‑day window during which attackers moved laterally across the internal network. - The ransomware group Cloak announced on a dark‑web forum that it exfiltrated roughly 100 GB of files, including names, Social Security numbers, driver’s licenses, passports, financial account details, payment‑card data, dates of birth, medical treatment records, diagnostic results, and health‑insurance information. - St. James Place began a comprehensive data‑inventory review immediately after discovery. The effort, aimed at cataloguing exposed records and notifying affected individuals, concluded on 4 March 2026, 19 months after the breach was first detected. - Affected residents with compromised Social Security numbers receive free credit‑monitoring and identity‑protection services from Kroll, accessible via a dedicated hotline (844‑425‑7453, M‑F 9 a.m.–6:30 p.m. ET).

What It Means The breach highlights the risk of short‑duration intrusions that can yield large data dumps before detection. Cloak’s claim of 100 GB suggests bulk exfiltration, likely using common tools such as PowerShell scripts for file compression and legitimate cloud storage for staging. The prolonged review period underscores the difficulty of mapping legacy health‑care environments, where data resides in multiple silos and may lack centralized inventory.

Mitigations - Deploy network‑segmentation to isolate PHI stores from general‑purpose systems; enforce strict firewall rules between segments. - Apply the latest patches for Microsoft Exchange (CVE‑2024‑XXXXX) and any vulnerable remote‑desktop services; unpatched systems remain the most common entry point. - Enable multi‑factor authentication (MFA) for all privileged accounts and enforce least‑privilege access controls. - Implement continuous monitoring with detection signatures for MITRE ATT&CK techniques T1027 (obfuscated files or information) and T1041 (exfiltration over command‑and‑control channel). - Conduct regular data‑mapping exercises to maintain an up‑to‑date inventory of sensitive records; this reduces review time after a breach. - Test incident‑response playbooks quarterly, including tabletop exercises that simulate rapid data‑exfiltration scenarios.

Looking Ahead Watch for updates on Cloak’s activity and any new ransomware‑as‑a‑service offerings that may target health‑care providers with similar attack windows.