Ransomware Gang Gains Access to Confidential Data
A notorious ransomware gang has hacked into the confidential database of the World Trade Center Health Program through one of the private-sector contractors paid to administer claims for the plan, stealing information about thousands of benefit recipients.
Employees of Sedgwick Government Solutions, who process claims from people enrolled in the Health Program, were surprised to find their access to online records cut off in early December. Instead, they were greeted by a screen claiming that the databases they were seeking had locked behind a password and were slated to be leaked to the “dark web” – a part of the internet invisible to ordinary users, where criminal networks facilitate hacking, drug trafficking, child pornography, money laundering, fraud, and terrorism.
Technology specialists working for Sedgwick quickly found social media postings from a gang of cybercriminals calling themselves TridentLocker, who were engaged in a form of extortion known as “ransomware as a service,” in which sensitive data is withheld (using encryption) from its rightful owners, who are also threatened with online publication of this information (where identity thieves can exploit it), until a fee is paid to resolve both issues. To underscore the seriousness of this threat, on January 2, a three-gigabyte sample of the stolen data, containing 2,947 files, was published on the dark web.
In its formal notification about the leak to regulators and law enforcement agencies, Sedgwick said, “on December 4, 2025, [the firm] discovered that files on a corporate Secure File Transfer Protocol (SFTP) server were unexpectedly encrypted, as a result of unauthorized third party access to the server. [The firm] immediately initiated its incident response process. The company’s investigation determined that the server was compromised on November 16, 2025 by an unauthorized third party. The affected SFTP server was immediately quarantined, all connections were disabled, and on December 5, 2025, a secure backup of the system was restored.”
The statement continued, “on January 2, a ransomware group identifying itself as ‘TridentLocker’ claimed credit for the incident and released approximately 3.4 GB of data associated with the SFTP server on a data leak site. Depending on the individual, the types of affected data may have included: first name, last name, address, Social Security Number, date of birth, and Protected Health Information.”
A Sedgwick spokesperson clarified, “The 2,947 number refers to the number of files involved in the breach and not the number of members impacted. We have found less than 350 members were involved.”
Sedgwick has set up a call center (at 844-425-7438) to provide information to Health Program enrollees who may have been affected, is offering victims 12 months of complimentary credit monitoring, as well as identity theft protection services through Kroll, a large corporate investigations firm.
“Following the detection of the incident, we initiated our incident response protocols and engaged external cybersecurity experts through outside counsel to assist with our investigation of the affected isolated file transfer system,” a Sedgwick spokesperson said.
In addition to managing the Nationwide Provider Network for the World Trade Center Health Program, Sedgwick also oversees sensitive data for the Department of Homeland Security, the Immigration and Customs Enforcement agency, the Customs and Border Protection agency, Citizenship and Immigration Services, and (somewhat ironically), the Cybersecurity and Infrastructure Security Agency (CISA) – the primary federal office responsible for defending national critical infrastructure against physical and cyber threats.