On January 2, while many were still greeting each other with “Happy New Year,” Wound Technology Network (“Woundtech”), a Florida-headquartered mobile wound treatment provider, was not off to a great start for the year. On or about December 6, 2025, they had become aware of unusual activity in their network. An investigation confirmed that unauthorized individuals had accessed files between December 6 and December 9, 2025.
It would be more than three months before Woundtech would issue any notifications to regulators and patients.
Much of what we currently know comes from extremely detailed posts and reports by FulcrumSec threat actors, starting with a lengthy data preview on a popular hacking forum.
In 20 years of reporting on breaches, DataBreaches has occasionally seen threat actors provide very detailed analyses of the data tranche they are leaking. Still, the analyses provided by FulcrumSec are probably the most extensive and detailed analyses this blogger has ever seen.
The original S3 bucket contained 6.7 terabytes of data (PDF medical records and wound photos), and they had exfiltrated 335 GB of it. They categorize the data into two groups.
Category 1 is Snowflake Database Exports (Complete)
Their most recent figures indicate that Snowflake database exports are full-table dumps. They report that the metadata.json files confirmed that “downloaded_rows” matched “total_rows” for each table, indicating complete extraction. Inside the FBS table, the 2,266,857 rows are clinical wound assessment notes. The 928,073 unique patient IDs are identified by numeric PATIENTID only (no names in this table). These patients become identifiable by name when their PATIENTID/EMPI is cross-referenced against NAMM_CAPDATA — verified for at least 86,377 patients who appear in both systems.
Category 2: S3 Bucket Files (5% SAMPLE)
FulcrumSec reports that the S3 bucket at files.emr.[redacted]woundtech.net/public/ contained 178,886 files in the exfiltrated portion (verified by filesystem count). These files are UUID-named with no extensions, and file type analysis (via EXIF extraction and OCR method detection) showed an approximate 50/50 split:
~89,000 clinical wound photographs (JPEG/PNG)
~90,000 PDF referral/intake documents
In FulcrumSec’s opinion, the 928,073 unique patient IDs from the FBS clinical notes table represent the most reliable total patient count, as they come from a complete database dump spanning 4+ years of wound care operations.
Of the total unique patients (database) 928,073 FBS table unique PATIENTID values, they found or extrapolated:
- 86,377 Named patients with full demographics (NAMM_CAPDATA unique EMPI# + Name)
- 3,523 Insurance claims patients (NAMMDATA unique patients)
- ~450,000–715,000 Estimated patients in full 6.7 TB (S3 Extrapolation from 5% sample)
- ~300 SSNs exposed (in exfiltrated PDFs) + 142 confirmed in 53% OCR sample
- 2,975 Employees exposed (01_CRITICAL_Users/all_users.json)
Woundtech has not released any numbers or responded to FulcrumSec’s initial leak post or specific claims cited above.
What Happened?
When asked how they gained access, FulcrumSec’s spokesperson replied that they used the same approach that they had used with Lena Health: “vulnerable server with plaintext AWS/database credentials on it,” they wrote, later commenting:
If Woundtech had patched their React hosts, none of this would have happened. If they had not stored super-privileged AWS credentials on an internet-facing server, none of this would have happened. If they had encrypted their 6.7tb of extraordinarily sensitive medical data, none of this would have happened.
Fulcrum did give Woundtech credit, however, for detecting the intrusion and patching the entry-point server within 24 hours of initial access.
“This is the first time any company, ever, has rotated AWS credentials before we completed exfiltration,” FulcrumSec’s spokesperson added, but noted that by then, they had already exfiltrated more than 100 GB of sensitive protected health information (PHI).
In response to one of DataBreaches’ questions, FulcrumSec stated that after five weeks of negotiations, Woundtech offered $151,500.00, which was only 30% of the reduced amount FulcrumSec had demanded. The negotiations ended due to Woundtech’s continued low offers.
It’s not surprising that negotiations might fail in any incident, but it’s unclear why Woundtech did not accept FulcrumSec’s unusual request and offer described below.
Woundtech’s Incident Response
On March 16, Woundtech published a substitute notice on its website and notified the California Attorney General’s Office of the breach. Their notification is consistent with FulcrumSec’s report in that they report that information potentially impacted could include: first name, last name, date of birth, telephone number, gender, clinical notes, medical health information, medical treatment information, medical diagnosis information, health insurance information, medical treatment images, and a very limited amount of Social Security numbers.
In response to the incident, they are offering affected individuals free access to Single Bureau Credit Monitoring/Single Bureau Credit Report/SingleBureau Credit Score services, along with proactive fraud assistance provided by Cyberscout.
But what they are not doing is puzzling.
An Unusual Request and Offer
From the outset of its public statements, FulcrumSec emphasized its efforts to redact sensitive patient information in any leaks to avoid harming patients. According to their published statements and communications with DataBreaches, FulcrumSec has spent considerable time preparing the data tranche for release by carefully redacting data. To that end, they sought to hire someone trustworthy to redact the data, and when they were unable to find someone, they offered to give the data to Woundtech to redact or to use a proxy to redact it reliably.
Woundtech did not take them up on the offer. According to FulcrumSec, “We want to redact last names, last 4 of SSN if present, part of email address, and house number from physical address,” they told DataBreaches.
During negotiations and even after our deal fell through, we have tried to get Woundtech to help us redact the data professionally. We believe they could provide a proxy for legal purposes who could carry this out efficiently. We’d provide the data, and they’d send it back redacted.
We assume they’re refusing because of potential legal/reputational issues, but this is why we suggested a proxy and told them we would keep their involvement confidential if they’d like. Our redaction will inevitably be imperfect, of which we have warned Woundtech multiple times, so this is Woundtech directly putting the patients they ostensibly care about in harm’s way.”
FulcrumSec provided DataBreaches with some of the negotiations that mentioned redaction. DataBreaches cannot think of any other threat actor or group that offered their target the full data set with a request that they redact it before the threat actors leak it. It is a somewhat stunning request, especially when one considers that the threat actors are giving their victims a chance to protect at least some of the more sensitive data.
Woundtech allegedly did not take them up on the offer and request, as a screengrab from negotiations shared with DataBreaches indicates:
DataBreaches asked FulcrumSec about redacting patient data, and was told that it has always been their policy for health data specifically.
“You can freeze credit, cancel cards, get a new driver’s licence, even a new SSN if need be, but health data is immutable and extraordinarily sensitive. HIV status, drug abuse histories, mental health notes; people take their own lives over this stuff. They don’t do that over leaked driver’s licences,” their spokesperson wrote, mentioning the Vastaamo incident where some therapy patients committed suicide after their sensitive information was leaked publicly.
FulcrumSec Offers to Delete Data
In addition to allowing Woundtech the opportunity to redact patient data before it was leaked, FulcrumSec has also posted something directed to patients on its clear net site. They write that if Wountech patients email FulcrumSec to request that their name or information be deleted from the tranche, FulcrumSec will honor that request and delete their data. There is no charge or fee to patients for the deletion. They state on their leak site:
If you have concerns about your data being included in the leak package (even redacted, as per the above), you can contact support@data-removal[.]com or reach us at threatspians@fulcrumsec[.]net, and we will permanently remove your medical records and photos from the dataset.
DataBreaches cannot vouch for any criminal group, even though FulcrumSec tells DataBreaches that they have done this in two other situations. Skeptics may properly note that criminals could use the offer to find patients who are motivated to get their data deleted so that they can extort the patients directly.
If any reader has previously contacted FulcrumSec to request data deletion, please let us know. Please email info@databreaches[.]net to let us know whether they honored the request, and whether there were any problems.
Questions for Woundtech
DataBreaches emailed Woundtech to ask how many patients were being notified, why Woundtech had not taken FulcrumSec up on its request and offer to let Woundtech redact the acquired data, and why Woundtech’s notification to patients doesn’t mention that data is being leaked on the clear net and patients can email FulcrumSec to request deletion of their data.
DataBreaches received no replies. If they do respond, this post will be updated.
