>samit_hota
Back to advisories
SH-2026-126HighOpen

Easypak Discloses Data Breach Exposing Social Security Numbers and Medical Records

Samit Hota·
CVE ID
N/A
CVSS Score
N/A
Affected Products
Easypak (G-Pak Holdings LLC), individuals with Personally Identifiable Information
#news#easypak

Overview

Easypak, a Massachusetts-based thermoformed plastic packaging manufacturer operating under the legal name G-Pak Holdings LLC, has disclosed a significant data breach that exposed sensitive personal and medical information. The incident, which originated from unauthorized access to its computer network, was publicly claimed by the Akira ransomware group. This breach underscores the persistent threat posed by ransomware operations that increasingly combine data encryption with exfiltration and extortion, commonly known as “double extortion” tactics. The lengthy timeline between initial compromise, public claim, and disclosure highlights the complex and time-consuming nature of breach investigations.

Technical Details

Easypak first detected unauthorized access to its computer network on or about January 13, 2026. Shortly after, on January 29, 2026, the Akira ransomware group publicly asserted responsibility for the attack, posting a claim on the dark web via the Tor network. Akira alleged to have successfully exfiltrated 67 gigabytes of Easypak’s corporate data during their intrusion.

The subsequent investigation into the breach was extensive, concluding on June 8, 2026. This investigation confirmed that certain files containing personally identifiable information (PII) and protected health information (PHI) were indeed accessed without authorization. The types of sensitive data exposed are comprehensive and include full names, Social Security numbers, driver’s license information, financial account data, and medical records. While the investigation concluded in June, Easypak began notifying affected individuals on July 15, 2026. At least 217 Massachusetts residents have been identified as directly affected by this breach, with the possibility of a wider impact being assessed.

Real-World Impact

The exposure of such a broad spectrum of PII and PHI has severe real-world implications for the affected individuals. Full names, Social Security numbers, and driver’s license information are prime targets for identity theft, potentially leading to fraudulent accounts, credit applications, or tax fraud. Financial account data could be used for direct financial theft, while the compromise of medical records can lead to healthcare fraud, unauthorized access to medical services, or even blackmail if sensitive health conditions are revealed.

For Easypak, the impact extends beyond the immediate costs of investigation, remediation, and notification. The company faces significant reputational damage, potential legal liabilities from affected individuals, and regulatory fines under privacy laws such as HIPAA (due to medical records) and state-specific data breach notification statutes. The incident also highlights the operational disruption that can accompany ransomware attacks, even if systems are restored from backups, due to the lengthy forensic analysis and mandatory disclosure processes.

Threat Landscape

The Akira ransomware group emerged as a notable threat actor, frequently employing double extortion tactics where data is exfiltrated before encryption. This strategy gives the attackers additional leverage, as victims are pressured to pay not only to decrypt their data but also to prevent the public release of sensitive information. The group’s use of the dark web and Tor network for claims and data leaks is standard practice for modern ransomware operations, aiming to maintain anonymity and maximize pressure on victims.

The fact that the initial unauthorized access occurred in January 2026, with the data theft claimed shortly thereafter, but the full scope of exposed data was only confirmed in June, illustrates the typical delay in breach detection and comprehensive investigation. This extended timeline provides attackers with ample opportunity to exploit stolen data before victims are even aware of the full extent of the compromise. Manufacturing companies like Easypak, which often possess valuable intellectual property and critical operational data, are attractive targets for such financially motivated cybercrime groups.

Remediation

Easypak is taking several steps to assist affected individuals and enhance its security posture.

  1. Individual Notification: Affected individuals are receiving direct notification letters with detailed information about the breach and steps they can take to protect themselves.
  2. Credit Monitoring Services: The company is offering complimentary credit monitoring services to affected individuals as a precautionary measure against identity theft. This includes instructions on how to enroll in these services.
  3. Fraud Alerts and Security Freezes: Easypak’s notification guidance includes detailed instructions on placing fraud alerts and security freezes with the three major credit bureaus, and how to obtain free credit reports.
  4. Dedicated Call Center: A dedicated call center has been established to answer questions from individuals who received notification letters, providing a direct channel for support and information. This call center will remain operational for 90 days from the date of each individual’s notification letter.

For organizations, this incident serves as a critical reminder to:

  • Implement robust endpoint protection, network segmentation, and intrusion detection systems to prevent unauthorized access.
  • Regularly back up critical data offline and test recovery procedures.
  • Develop and regularly test an incident response plan that includes clear communication strategies and legal counsel engagement.
  • Conduct frequent vulnerability assessments and penetration testing to identify and remediate weaknesses.
  • Provide comprehensive security awareness training to employees, focusing on identifying phishing attempts and suspicious activities that could lead to initial compromise.

The long-term security of Easypak’s systems will depend on a thorough review of its security architecture, processes, and continuous monitoring to prevent future intrusions.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call