Threat Bulletin issued August 8, 2023, 4:07 PM
Health-ISAC has observed multiple incidents involving ransomware threat actors attacking healthcare and medical research facilities around the globe. These victims include multiple subsectors within healthcare, including mental health.
Threat actors have successfully infiltrated victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.
In August 2023, Rhysida ransomware threat actors disrupted patient care across multiple hospital locations associated with Prospect Medical Holdings, including Waterbury Hospital. Prior to this incident, Rhysida attacked Haemokinesis LTD, a biomedical research laboratory based in Australia.
For specific details on the Rhysida incident, please review the HC3 Alert available here. The HC3 SectorAlert has also been attached below in PDF format for ease of reference.
Additional Info
While threat actors often claim they do not target healthcare organizations, in practice, threat actors do not hesitate to target healthcare organizations.
extort the providers by threatening to leak sensitive, stolen patient information. In more than one observance, healthcare organizations have refused to pay the ransom and the threat actors have leaked protected health information (PHI). The threat actors then wait weeks to months before removing the data and stating they are no longer extorting the victim due to the correlation to healthcare delivery.
Ransomware aliates have been observed formally apologized for attacking children’s hospitals stating these actions violated their rules. These apologies were made only after encrypting networks associated with healthcare delivery.
No observations have been made of threat actors establishing initial access, discovering they are within healthcare infrastructure, and exiting as they claim.
In June 2023, threat actors compromised patient data, including mammogram images, Social Security numbers, birth dates, and medical history, and made the data public on the internet.
In July 2022, 2.6 million patients had their data leaked after OneTouchPoint was compromised by ransomware affiliates. OneTouchPoint serves many healthcare organizations, and the breach had an impact on many large care providers.
In March 2022, data belonging to 2 million patients was exposed after a threat actor gained access to protected health information (PHI) associated with Shields Health Care Group.
Incident Date
Aug 08, 2023, 11:59 PM
Reference | References
Krebs on Security – https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/
Forbes – https://www.forbes.com/sites/quickerbettertech/2020/03/29/how-nice-ransomware-makers-say-they-wont-target-hospitalsand-other-covid-19-small-business-tech-news/?sh=1347bd2e4295
Healthcareinfosecurity – https://www.healthcareinfosecurity.com/authorities-warn-health-sector-attacks-by-rhysida-group-a-22753
Wired – ps://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/
Tags
Rhysida, DICOM, Ransomware
TLP:WHITE: Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
For Questions and/or Comments:
Please email us at contact@h-isac.org
TLP WHITE - 830a8770 - Ransomware Actors Target Healthcare
HC3 alert Pdf:
rhysida-ransomware-sector-alert-tlpclear