In 2022, a ransomware group successfully attacked GlobeMed Saudi, a third-party healthcare claims administrator that processes medical insurance claims for major Saudi insurers and healthcare providers. The attackers exfiltrated approximately 201 gigabytes of data before deploying encryption, executing a double-extortion strategy.
Key Facts
- WhatRansomware attack exfiltrated 201GB from healthcare claims administrator.
- WhoGlobeMed Saudi, processing claims for major Saudi insurers and providers.
- Data ExposedPatient medical records, COVID-19 results, prescriptions, and insurance claims.
- OutcomeDouble-extortion attack; health data demands highest PDPL protections.
What Was Exposed
- Patient medical records including diagnoses, treatment histories, and physician notes spanning multiple healthcare providers
- COVID-19 test results including patient names, national ID numbers, test dates, and results, collected during the pandemic era
- Insurance claims documentation including policy numbers, claim amounts, approved procedures, and denial reasons
- Prescription data including medication names, dosages, prescribing physicians, and pharmacy dispensing records
- Patient demographic data including full names, national identification numbers, dates of birth, and contact information
- Healthcare provider data including hospital and clinic identifiers, physician credentials, and contractual terms
Healthcare data occupies the highest sensitivity tier in virtually every data protection framework worldwide, and for good reason. The 201GB exfiltrated from GlobeMed Saudi represented a comprehensive medical profile of each affected individual. Unlike financial data, which can be reissued through new account numbers or credit cards, medical data is permanently tied to an individual. A diagnosis of HIV, a mental health treatment history, or a genetic condition cannot be "reset"
like a compromised credit card.
The permanence and intimacy of medical data make it the single most valuable category of personal information on dark web markets, typically commanding prices ten to fifty times higher than financial credentials. A complete medical profile with insurance information can sell for hundreds of dollars per record, making the GlobeMed dataset extraordinarily valuable to cybercriminals.
The inclusion of COVID-19 test results adds a time-specific dimension to the breach.
During the pandemic, COVID testing data was collected on an unprecedented scale across the Kingdom, often through rushed digital systems that prioritized speed of deployment over security. This data, processed through insurance administrators like GlobeMed, created vast repositories that linked individuals' health status to their identities.
The exposure of this data could be particularly harmful in employment and social contexts where COVID status was used as a screening criterion.
GlobeMed's position as a third-party administrator magnifies the impact. As a claims processor, GlobeMed sits at the nexus of the healthcare data ecosystem, receiving data from hospitals, clinics, pharmacies, laboratories, and insurance companies. A single compromise of GlobeMed's systems therefore exposes data that originated from dozens or hundreds of separate healthcare providers, effectively turning one breach into a multi-institution data catastrophe.
This aggregation risk is inherent in the centralized claims processing model and represents one of the most significant systemic vulnerabilities in healthcare data management.
The double-extortion model used by the attackers added another dimension of harm.
Not only were GlobeMed's systems encrypted, disrupting claims processing operations and potentially delaying patient care authorizations, but the threat of public data release created ongoing pressure even if the encryption could be resolved through backups. This model has become the standard operating procedure for sophisticated ransomware groups targeting healthcare, and it renders traditional backup-focused ransomware defenses insufficient.
Regulatory Analysis
Article 23 of Saudi Arabia's PDPL addresses health data processing, with Article 1 defining it as a category of sensitive personal data requiring enhanced protections. The processing of sensitive personal data is subject to stricter requirements, including the need for explicit consent or a specific legal basis, and the obligation to implement security measures that are proportionate to the heightened risks associated with health information.
GlobeMed's role as a data processor handling sensitive health data places it under the most demanding tier of PDPL obligations.
The exfiltration of 201GB of medical records represents a clear failure to meet these requirements. The PDPL does not merely require that organizations attempt to protect sensitive data; it requires that they succeed in doing so to a standard that is proportionate to the risk. For healthcare data, that standard is the highest the law recognizes.
Article 19's requirement for appropriate technical and organizational security measures takes on particular weight in the healthcare context. The PDPL does not prescribe specific technical controls, instead requiring that measures be "appropriate" to the risk.
For a healthcare claims administrator processing millions of patient records, appropriate measures would include encryption of data at rest and in transit, network segmentation isolating healthcare data from general corporate systems, endpoint detection and response capabilities, regular vulnerability assessments and penetration testing, and employee security awareness training focused on healthcare-specific threats such as ransomware.
The successful execution of a ransomware attack that included pre-encryption data exfiltration of 201GB suggests fundamental gaps in multiple security domains.
Ransomware attacks follow predictable patterns: initial access, lateral movement, privilege escalation, data staging, exfiltration, and finally encryption. Each of these phases presents detection opportunities, and the failure to detect any of them indicates a systemic rather than a point failure in GlobeMed's security posture.
Article 20's breach notification requirements are particularly critical in the healthcare context. When medical records are exposed, affected individuals need to be notified promptly so they can take protective measures, including monitoring for medical identity theft, alerting their healthcare providers, and being vigilant for fraudulent insurance claims filed in their name. Medical identity theft is particularly insidious because it can result in incorrect information being added to a victim's medical record, potentially leading to dangerous misdiagnoses or inappropriate treatments.
The relationship between GlobeMed and the insurance companies and healthcare providers whose data it processes raises important questions about shared liability under the PDPL. The insurance companies that engaged GlobeMed as their claims administrator remain data controllers under the PDPL and cannot delegate their data protection responsibilities to a processor. Under Article 10, they are required to ensure that their processor maintains adequate security measures.
The breach therefore exposes not only GlobeMed to regulatory action but also every insurer and healthcare provider that entrusted patient data to GlobeMed's systems.
What Should Have Been Done
Healthcare organizations and their data processors must adopt a zero-trust architecture that assumes breach and designs accordingly. GlobeMed should have implemented micro-segmentation of its network, isolating patient data repositories from general corporate infrastructure and from each other. Each data store containing patient records should have been encrypted with unique keys, and access should have required multi-factor authentication with role-based permissions that limited each user to only the records necessary for their specific function.
The principle of least privilege is especially critical in healthcare environments where the aggregation of data across multiple providers creates disproportionate risk.
No single user account should have had access to the full 201GB of data that was ultimately exfiltrated. Compartmentalization by insurer, by provider, or by data type would have ensured that even a compromised administrator account could only access a fraction of the total dataset.
Ransomware-specific defenses should have been a priority given the threat landscape in 2022, which saw healthcare organizations globally targeted by ransomware groups at unprecedented rates. These defenses should have included immutable backup systems stored in air-gapped or offline environments, tested through regular recovery exercises. Application whitelisting should have been deployed to prevent the execution of unauthorized software, including ransomware payloads.
Endpoint Detection and Response (EDR) solutions should have been configured with healthcare-specific behavioral rules designed to detect the lateral movement and data staging patterns that characterize pre-encryption exfiltration. The 201GB of data that was exfiltrated before encryption represents hours or days of data transfer that should have been detected by network monitoring. Network Detection and Response (NDR) solutions analyzing east-west traffic patterns would have identified the anomalous data movements characteristic of ransomware staging operations.
Data Loss Prevention (DLP) solutions should have been deployed at every network boundary to detect and block the exfiltration of patient data. Modern DLP platforms can be trained to recognize the patterns of medical records, insurance claims, and other healthcare data formats, triggering alerts when this data is transferred to unauthorized destinations. The exfiltration of 201GB, a volume far exceeding normal business data transfers, should have triggered immediate alerts and automated blocking.
The contractual framework between GlobeMed and its client insurers and healthcare providers should have included mandatory security requirements, regular audit rights, and incident response coordination obligations. Insurance companies should have conducted annual security assessments of GlobeMed's environment, including penetration testing focused on the systems that handle their patients' data. A shared incident response plan should have been established, defining roles, responsibilities, communication protocols, and decision-making authority in the event of a breach.
The GlobeMed Saudi breach exposes the systemic risk inherent in centralized healthcare data processing. When a single claims administrator holds medical records from hundreds of healthcare providers, a single compromise becomes a mass-casualty data event. Under the PDPL, health data demands the highest tier of protection, and every organization in the healthcare data supply chain shares responsibility for ensuring that protection is real, not merely contractual.