Skip links

Ransomware gang threatens 1m-plus medical record leak

Two recent ransomware attacks against healthcare systems indicate cybercriminals continue to put medical clinics and hospitals firmly in their crosshairs.

Daixin Team has taken credit for a September 1 assault on Texas-based OakBend Medical Center, causing a shutdown of the organization’s communication and IT systems as well as exfiltrating internal data.

The criminals claim to have stolen more than a million records including names, dates of birth, Social Security numbers, and patient treatment information.

It’s not immediately clear if that’s one million patients affected or one million pieces of sensitive medical and personal info.

The gang further warned a “full leak” of the data may follow, and claims to have shared employees’ personal information already as a download, presumably to prove it siphoned data and/or to chivy the healthcare group into meeting the extortionists’ demands.

OakBend, which operates three hospitals in the US state, said it pulled the plug on its infected computers and “immediately” called in the big guns: the FBI and local government cybersecurity officials, along with experts from Microsoft, Dell, and Malware Protects. “At no time was patient safety every in jeopardy,” a public statement reads.

Today, the medical group posted another update and said its telephone system is partially restored, albeit with no voicemail, and its email service is working.

Second shot fired

Additionally, in a notification to watchdogs last Friday, Pennsylvania’s largest primary care group said a “sophisticated” ransomware crew breached its network security, giving it access to 75,628 individuals’ names, addresses and Social Security numbers along with their medical records.

According to a letter [PDF] sent to patients, Medical Associates of the Lehigh Valley became aware of the attack on July 3, and “immediately” began work to secure its systems. The physicians’ group also called in third-party experts to help determine the scope of the security breach and reported the attack to federal law enforcement.

“Through the investigation, it was determined that certain files may have been subject to unauthorized access as part of the cyberattack,” the notice stated. “Following a thorough analysis, the investigation determined that information contained in the affected files may have included patient protected health information (PHI).” 

The attackers may have accessed patient names, address, email address, date of birth, Social Security number, driver’s license number, State ID number, health insurance provider, medical diagnosis and medical treatment information, medications, and lab results, according to the alert.

“At this time, MATLV is not aware of any evidence to suggest that any information has been fraudulently misused,” the letter stated. “However, MATLV was unable to rule out the possibility that the information may have been accessed during the attack.”

At press time, neither medical group responded to The Register‘s inquiries about the extortionware attacks, which paint a disturbing picture as crooks target networks with potential life-and-death consequences. 

At least 13 US healthcare systems with 59 hospitals between them have been hit by ransomware in 2022, according to Emsisoft threat analyst Brett Callow.

“Ransomware attacks on the health sector are particularly heinous, not only because of the potential for life-threatening disruption to patient care, but also because of the sensitivity of the data that ends up in the hands of cybercrims — in particular, folks’ medical info,” Callow told The Register

“And, of course, unless the providers pay, the data also gets released on the dark web where it can be easily accessed by yet more cybercrims,” he added. “Unfortunately, ransomware is a problem that doesn’t seem to be going away.”

For comparison: last year these infections and intrusion impacted 1,203 American healthcare providers. ®

Source