Full Report
New Horizons Medical provides outpatient mental health and substance abuse treatment services in Fitchburg and Haverhill, Massachusetts. In 2024, they were acquired by the Lawrence Medical Center. Today, the DevMan blog listed New Horizons Medical on its dark web leak site, with a countdown clock indicating less than 4 days left. The listing did not... Source
Analysis Summary
# Incident Report: Alleged DevMan Ransomware Attack on New Horizons Medical
## Executive Summary
New Horizons Medical, a provider of mental health and substance abuse treatment services, was listed on the DevMan Ransomware-as-a-Service (RaaS) dark web leak site with a countdown, alleging the exfiltration of 236GB of data. As of the reporting date, there is no official confirmation from the organization regarding an ongoing attack or encryption event, though external queries have gone unanswered. This potential incident follows a confirmed 2023 ransomware attack that affected over 12,000 patients and employees.
## Incident Details
- **Discovery Date:** December 1, 2025 (via DevMan blog listing)
- **Incident Date:** Undetermined (Likely recent, leading up to Dec 1, 2025 listing)
- **Affected Organization:** New Horizons Medical (Acquired by Lawrence Medical Center in 2024)
- **Sector:** Healthcare (Mental Health and Substance Abuse Treatment)
- **Geography:** Massachusetts (Fitchburg and Haverhill)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Attributed to the DevMan RaaS group.
- **Details:** The DevMan blog claimed to have acquired data from New Horizons Medical. No external validation or proof (screenshots) was provided in the initial listing.
### Lateral Movement
- **Date/Time:** Unknown.
- **Vector:** Not specified in the report.
- **Details:** Implied movement occurred to facilitate the exfiltration of 236GB of alleged data.
### Data Exfiltration/Impact
- **Date/Time:** Unknown.
- **Impact:** DevMan claims 236GB of data was acquired. This potentially includes sensitive patient and employee information (names, SSNs, medical records, financial data).
### Detection & Response
- **Date/Time:** December 1, 2025.
- **Detection:** Detection occurred when the DevMan dark web leak site published the listing, including a countdown timer of less than 4 days.
- **Response actions taken:** DataBreaches contacted New Horizons Medical twice regarding confirmation of a breach and encryption event, but received no reply up to the time of reporting.
## Attack Methodology
- **Initial Access:** Unknown; attributed to DevMan RaaS activity.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown (Assumed data collection occurred before exfiltration).
- **Lateral Movement:** Unknown.
- **Collection:** Claimed 236GB of data was collected.
- **Exfiltration:** Data exfiltration occurred, leading to the dark web listing.
- **Impact:** Data exposure and potential encryption (though encryption not confirmed).
## Impact Assessment
- **Financial:** Not specified; potential costs related to reputation management, notification, and regulatory fines.
- **Data Breach:** Alleged acquisition of 236GB of data concerning patients and employees. Data from the 2023 incident included names, addresses, SSNs, driver’s license numbers, financial account information, medical records numbers, insurance IDs, claims data, diagnoses, and prescription information.
- **Operational:** Not specified if systems are currently encrypted or down.
- **Reputational:** Negative impact due to listing on a known RaaS leak site, especially following a prior major breach in 2023.
## Indicators of Compromise
- *No specific hash, IP, or domain indicators were provided in the source material for network defense.*
- **Behavioral indicators:** Appearance on the DevMan dark web leak site with a countdown timer.
## Response Actions
- **Containment measures:** No specific containment actions were reported by the organization.
- **Eradication steps:** No information available.
- **Recovery actions:** No information available.
## Lessons Learned
- **Prior Weakness:** The organization suffered a significant, long-duration ransomware incident in February–April 2023, suggesting that previously implemented "additional safeguards and technical security measures" were potentially insufficient or bypassed in a subsequent event.
- **Lack of Transparency:** As noted in the report, there was no immediate public response or confirmation to external inquiries following the dark web publication, hindering public understanding and trust.
- **Ransomware Trend:** The reliance on RaaS groups like DevMan remains a high risk for healthcare entities handling sensitive PII/PHI.
## Recommendations
- Immediately confirm or deny the claims made by DevMan and invoke established IR protocols.
- Conduct a thorough forensic investigation to determine the actual scope of compromise from the 2025 incident, paying close attention to how the 2023 remediation efforts were bypassed.
- Increase network segmentation and rigorously enforce least privilege access across all systems storing PHI/PII, given the high value of the data stolen in the 2023 incident.
- Ensure comprehensive, tested incident response plans are in place and that communication channels for external disclosure are prepared in advance.