馃嚫馃嚘 Saudi PDPLAugust 20229 min read
# GlobeMed Saudi: 201GB Healthcare Ransomware Attack
In 2022, a ransomware group successfully attacked GlobeMed Saudi, a third-party
healthcare claims administrator that processes medical insurance claims for major
Saudi insurers and healthcare providers. The attackers exfiltrated approximately
201 gigabytes of data before deploying encryption, executing a double-extortion
strategy.
The stolen data included patient medical records, COVID-19 test results, insurance
claims documentation, and prescription histories. As a healthcare data processor
handling sensitive medical information for millions of Saudi residents, the breach
exposed the critical vulnerabilities in the Kingdom's healthcare data supply chain.
## Key Facts
- .**What:** Ransomware attack exfiltrated 201GB from healthcare claims administrator.
- .**Who:** GlobeMed Saudi, processing claims for major Saudi insurers and providers.
- .**Data Exposed:** Patient medical records, COVID-19 results, prescriptions, and insurance claims.
- .**Outcome:** Double-extortion attack; health data demands highest PDPL protections.
## What Was Exposed
- .Patient medical records including diagnoses, treatment histories, and physician
notes spanning multiple healthcare providers
- .COVID-19 test results including patient names, national ID numbers, test dates,
and results, collected during the pandemic era
- .Insurance claims documentation including policy numbers, claim amounts, approved
procedures, and denial reasons
- .Prescription data including medication names, dosages, prescribing physicians,
and pharmacy dispensing records
- .Patient demographic data including full names, national identification numbers,
dates of birth, and contact information
- .Healthcare provider data including hospital and clinic identifiers, physician
credentials, and contractual terms
Healthcare data occupies the highest sensitivity tier in virtually every data
protection framework worldwide, and for good reason. The 201GB exfiltrated from
GlobeMed Saudi represented a comprehensive medical profile of each affected
individual. Unlike financial data, which can be reissued through new account numbers
or credit cards, medical data is permanently tied to an individual. A diagnosis of
HIV, a mental health treatment history, or a genetic condition cannot be "reset"
like a compromised credit card.
The permanence and intimacy of medical data make it the single most valuable category
of personal information on dark web markets, typically commanding prices ten to fifty
times higher than financial credentials. A complete medical profile with insurance
information can sell for hundreds of dollars per record, making the GlobeMed dataset
extraordinarily valuable to cybercriminals.
The inclusion of COVID-19 test results adds a time-specific dimension to the breach.
During the pandemic, COVID testing data was collected on an unprecedented scale across
the Kingdom, often through rushed digital systems that prioritized speed of deployment
over security. This data, processed through insurance administrators like GlobeMed,
created vast repositories that linked individuals' health status to their identities.
The exposure of this data could be particularly harmful in employment and social
contexts where COVID status was used as a screening criterion.
GlobeMed's position as a third-party administrator magnifies the impact. As a claims
processor, GlobeMed sits at the nexus of the healthcare data ecosystem, receiving
data from hospitals, clinics, pharmacies, laboratories, and insurance companies. A
single compromise of GlobeMed's systems therefore exposes data that originated from
dozens or hundreds of separate healthcare providers, effectively turning one breach
into a multi-institution data catastrophe. This aggregation risk is inherent in the
centralized claims processing model and represents one of the most significant
systemic vulnerabilities in healthcare data management.
The double-extortion model used by the attackers added another dimension of harm.
Not only were GlobeMed's systems encrypted, disrupting claims processing operations
and potentially delaying patient care authorizations, but the threat of public data
release created ongoing pressure even if the encryption could be resolved through
backups. This model has become the standard operating procedure for sophisticated
ransomware groups targeting healthcare, and it renders traditional backup-focused
ransomware defenses insufficient.
## Regulatory Analysis
Article 16 of Saudi Arabia's PDPL explicitly designates health data as a category of
sensitive personal data requiring enhanced protections. The processing of sensitive
personal data is subject to stricter requirements, including the need for explicit
consent or a specific legal basis, and the obligation to implement security measures
that are proportionate to the heightened risks associated with health information.
GlobeMed's role as a data processor handling sensitive health data places it under the
most demanding tier of PDPL obligations.
The exfiltration of 201GB of medical records represents a clear failure to meet these
requirements. The PDPL does not merely require that organizations attempt to protect
sensitive data; it requires that they succeed in doing so to a standard that is
proportionate to the risk. For healthcare data, that standard is the highest the law
recognizes.
Article 14's requirement for appropriate technical and organizational security
measures takes on particular weight in the healthcare context. The PDPL does not
prescribe specific technical controls, instead requiring that measures be
"appropriate" to the risk. For a healthcare claims administrator processing millions
of patient records, appropriate measures would include encryption of data at rest and
in transit, network segmentation isolating healthcare data from general corporate
systems, endpoint detection and response capabilities, regular vulnerability
assessments and penetration testing, and employee security awareness training focused
on healthcare-specific threats such as ransomware.
The successful execution of a ransomware attack that included pre-encryption data
exfiltration of 201GB suggests fundamental gaps in multiple security domains.
Ransomware attacks follow predictable patterns: initial access, lateral movement,
privilege escalation, data staging, exfiltration, and finally encryption. Each of
these phases presents detection opportunities, and the failure to detect any of them
indicates a systemic rather than a point failure in GlobeMed's security posture.
Article 19's breach notification requirements are particularly critical in the
healthcare context. When medical records are exposed, affected individuals need to be
notified promptly so they can take protective measures, including monitoring for
medical identity theft, alerting their healthcare providers, and being vigilant for
fraudulent insurance claims filed in their name. Medical identity theft is
particularly insidious because it can result in incorrect information being added to a
victim's medical record, potentially leading to dangerous misdiagnoses or
inappropriate treatments.
The relationship between GlobeMed and the insurance companies and healthcare providers
whose data it processes raises important questions about shared liability under the
PDPL. The insurance companies that engaged GlobeMed as their claims administrator
remain data controllers under the PDPL and cannot delegate their data protection
responsibilities to a processor. Under Article 10, they are required to ensure that
their processor maintains adequate security measures. The breach therefore exposes not
only GlobeMed to regulatory action but also every insurer and healthcare provider that
entrusted patient data to GlobeMed's systems.
## What Should Have Been Done
Healthcare organizations and their data processors must adopt a zero-trust
architecture that assumes breach and designs accordingly. GlobeMed should have
implemented micro-segmentation of its network, isolating patient data repositories
from general corporate infrastructure and from each other. Each data store containing
patient records should have been encrypted with unique keys, and access should have
required multi-factor authentication with role-based permissions that limited each
user to only the records necessary for their specific function.
The principle of least privilege is especially critical in healthcare environments
where the aggregation of data across multiple providers creates disproportionate risk.
No single user account should have had access to the full 201GB of data that was
ultimately exfiltrated. Compartmentalization by insurer, by provider, or by data type
would have ensured that even a compromised administrator account could only access a
fraction of the total dataset.
Ransomware-specific defenses should have been a priority given the threat landscape
in 2022, which saw healthcare organizations globally targeted by ransomware groups at
unprecedented rates. These defenses should have included immutable backup systems
stored in air-gapped or offline environments, tested through regular recovery
exercises. Application whitelisting should have been deployed to prevent the execution
of unauthorized software, including ransomware payloads.
Endpoint Detection and Response (EDR) solutions should have been configured with
healthcare-specific behavioral rules designed to detect the lateral movement and data
staging patterns that characterize pre-encryption exfiltration. The 201GB of data that
was exfiltrated before encryption represents hours or days of data transfer that
should have been detected by network monitoring. Network Detection and Response (NDR)
solutions analyzing east-west traffic patterns would have identified the anomalous
data movements characteristic of ransomware staging operations.
Data Loss Prevention (DLP) solutions should have been deployed at every network
boundary to detect and block the exfiltration of patient data. Modern DLP platforms
can be trained to recognize the patterns of medical records, insurance claims, and
other healthcare data formats, triggering alerts when this data is transferred to
unauthorized destinations. The exfiltration of 201GB, a volume far exceeding normal
business data transfers, should have triggered immediate alerts and automated
blocking.
The contractual framework between GlobeMed and its client insurers and healthcare
providers should have included mandatory security requirements, regular audit rights,
and incident response coordination obligations. Insurance companies should have
conducted annual security assessments of GlobeMed's environment, including penetration
testing focused on the systems that handle their patients' data. A shared incident
response plan should have been established, defining roles, responsibilities,
communication protocols, and decision-making authority in the event of a breach.
The GlobeMed Saudi breach exposes the systemic risk inherent in centralized
healthcare data processing. When a single claims administrator holds medical
records from hundreds of healthcare providers, a single compromise becomes a
mass-casualty data event. Under the PDPL, health data demands the highest tier of
protection, and every organization in the healthcare data supply chain shares
responsibility for ensuring that protection is real, not merely contractual.