Equinox, a New York State health and human services organization, has begun notifying over 21 thousand clients and staff that cyber criminals stole their health, financial, and personal information in a “data security incident” nearly seven months ago.

Adding insult to injury, it appears the LockBit ransomware gang – which was supposed to have been shut down at the time of the incident – may be to blame.

Equinox provides mental health and addiction services, domestic violence support, food and housing, and other community services for kids, adults, and families in New York state’s capital region. It has ten locations, including residential facilities, and serves 3,500 people annually.

On Friday, it began sending notification letters to 21,565 clients and employees, alerting them that scumbags stole digital files containing their personal info – name, address, date of birth, Social Security number, driver’s license or other government identification number, passport number, financial account information, health insurance information, medical treatment or diagnosis information, and/or medication-related information.

The incident, according to a copy of the letter on the Equinox website, occurred on April 29 and disrupted the org’s network access. Equinox says it “immediately” secured its IT environment, hired a top-notch cyber security firm, and started an investigation.

“As a result of the investigation, Equinox learned that certain files in its network may have been accessed or downloaded without authorization,” the notification reads [PDF].

By September 16, Equinox had reviewed the possibly stolen files, and “determined that some individuals’ personal and/or protected health information may have been affected as a result of this incident.”

Cue the data breach letters – and, we’d guess, lawsuits, since the breach does involve protected health info.

Equinox, not to be confused with businesses of the same name, such as the gym chain, did not respond to The Register‘s inquiries about the security breach, including if it was a ransomware infection.

On May 18, the LockBit 3.0 ransomware group listed Equinox on its data leak site, claiming to have swiped 49GB of data.

The lowlife group updated the listing on August 11, according to DataBreaches.net, and gave the organization until August 25 to respond before eventually leaking 31.8GB of files.

It’s worth noting that all of this happened after the high-profile disruption of LockBit back in February. It just illustrates how difficult it is to stop the ransomware scourge despite arrests and infrastructure seizures.

As of August, LockBit 3.0 was still the year’s most prolific encryption and extortion gang, according to Palo Alto Networks’ Unit 42. ®