Starr Insurance Confirms Akira Ransomware Stole 15GB of Data Including SSNs and Medical Records

Context Starr Insurance, an independent agency based in Chambersburg, Pennsylvania, detected suspicious activity on its systems on Nov 18 2025. After engaging external cybersecurity specialists, the company confirmed an unauthorized actor accessed and copied files on that date. A subsequent review by a data analytics specialist identified the scope of the exposed information. On Apr 1 2026, Akira posted a claim on the Tor network, asserting it had stolen 15 GB of organizational data.

Key Facts The breach may have exposed personal data such as names, addresses, Social Security numbers, driver’s license numbers, financial account information, payment card details, medical information, health insurance data, and online account credentials. Akira’s statement listed employee passports, driver’s licenses, SSNs, financial records, customer information, and non‑disclosure agreements among the stolen files. The company posted a notice on its website and provided a contact line (833‑918‑6215) for affected individuals.

What It Means The incident reflects a typical double‑extortion ransomware operation: attackers first exfiltrate sensitive data, then threaten to release it unless a ransom is paid. Akira’s known tactics include phishing for initial access, exploiting unpatched remote services, credential dumping with tools like Mimikatz, lateral movement via SMB, and using encrypted channels for data exfiltration (MITRE ATT&CK T1078, T1566.001, T1059, T1027, T1041, T1486). No specific CVE was disclosed in Starr’s notice, but Akira has historically leveraged vulnerabilities in VPN appliances and public‑facing applications.

Mitigations Organizations should enforce multi‑factor authentication on all remote access points, patch VPN and firewall appliances promptly (monitor advisories for CVEs affecting Pulse Secure, Fortinet, and similar products), disable SMBv1, and restrict unnecessary lateral movement. Deploy endpoint detection and response (EDR) solutions to detect credential dumping and unusual process execution. Monitor outbound traffic for large or irregular transfers to unknown destinations, and maintain offline, encrypted backups tested regularly. Apply network segmentation to isolate critical data stores, and conduct regular phishing simulations and user training.

What to watch next Expect Akira to potentially leak the stolen data on leak sites or dark‑web forums, and monitor for any follow‑up extortion demands targeting Starr Insurance or its partners.