Verticals Targeted: Healthcare
Executive Summary
Earlier this month, Prospect Medical Holdings was the victim of a ransomware attack that impacted multiple facilities. In light of this attack, this report provides an overview of ransomware threats to the healthcare vertical.
Key Takeaways
- The healthcare vertical faces many threats, including ransomware and the related data theft, extortion, and data leaks that often accompany these attacks.
- In the past two years, the number of ransomware attacks on healthcare entities has increased.
- Earlier this month, Prospect Medical Holdings was the victim of a ransomware attack that impacted multiple facilities.
Background
The healthcare vertical faces many threats, including ransomware, data theft and extortion, and data leaks. Last year, Sophos reported on ransomware threats to healthcare and noted that ransomware threats to the vertical doubled from 2020 to 2021. They also noted entities in the healthcare vertical are among the most likely to pay ransom demands. This is likely a contributing factor to the continual increase in cyber attacks targeting healthcare entities over the past two years.
In Q3 2022, the healthcare vertical became one of the most targeted by ransomware attacks. According to the European Union Agency for Cybersecurity (ENISA), ransomware accounts for 54% of all cyber threats targeting the healthcare vertical. Since the beginning of 2023, at least 15 healthcare systems have been targeted by ransomware, and data was stolen in 12 of those attacks.
Recent Incident
Earlier this month, Prospect Medical Holdings was the victim of a ransomware attack that impacted multiple facilities. The Eastern Connecticut Health Network and medical facilities in Pennsylvania, California, and Rhode Island were also affected by the attack. The attacks led to operational disruption, including facility closures and emergency room diversions. The FBI is currently investigating these attacks. At this time, the name of the ransomware family or families used has not been publicly released.
Implications
Potential harm to patients as a result of ransomware attacks is of greatest concern. These attacks can cause disruption of healthcare operations, leading to death or injury due to delayed treatments, ambulances being diverted to other facilities, and equipment failure. An often-cited case of ransomware endangering a life is a 2019 incident in which a newborn baby died from fatal brain damage after a ransomware attack caused heart rate monitors to fail.
Data theft and data leaks are potential concurrent threats often related to ransomware attacks. Threat actors can potentially use stolen PII and healthcare data for extortion, social engineering, fraud, and identity theft. Sometimes data theft is used in conjunction with a ransomware attack for double or triple extortion, with the threat actors threatening to leak or sell stolen data if the ransom is not paid. Data leaks, even when unintentional, can lead to privacy violations and misuse of patient information. Unintentionally leaked data, in the wrong hands, can be used for the same malicious purposes as stolen data.
Healthcare entities also suffer financially and operationally when they are the victims of ransomware attacks. According to a recent report from IBM, the average cost of a healthcare data breach is nearly $11 million USD in 2023. Although more likely to pay the demanded ransom, healthcare entities typically recover less stolen data than entities in other verticals. Healthcare entities also have a high cost of recovery from such attacks and take longer to recover from a ransomware attack than most verticals. Healthcare entities also tend to be less likely to have cyber insurance, increasing their out-of-pocket costs for recovery.
Ransomware Known to Target the Healthcare Vertical
While some ransomware groups claim to avoid targeting healthcare entities for ethical reasons, others do not subscribe to the same code of ethics and are known to include healthcare vertical entities in the scope of their targeting. Additionally, some threat actors leveraging ransomware as a service (RaaS) use the ransomware to target healthcare entities, despite any rules prohibiting such use. Some of the more well-known ransomware families observed targeting healthcare entities are noted below.
Conti
In 2021, Conti ransomware was reportedly used to target the Irish Health Service Executive (HSE). Since then, Conti has also been observed in attacks targeting healthcare facilities in the US and Canada.
Maui
In 2022, North Korean state-sponsored threat actors used Maui ransomware to target multiple entities in the healthcare vertical. The threat actors used Maui to encrypt servers used for healthcare services, including electronic health records, diagnostic services, imaging services, and intranet services.
Quantum
In early 2022, Quantum ransomware was used to attack Professional Finance Company Inc. (PFC), an accounts receivable company used by multiple healthcare organizations for payments. Sensitive patient information stolen in the attacks included patient names, addresses, payment information, SSN, birthdates, and medical treatment information.
LockBit
In 2022, LockBit was used to target Center Hospitalier Sud Francilien (CHSF) in France.
Hive
In late 2022, Hive was used to target Lake Charles Memorial Health System in Louisiana. Patient data was stolen in this attack.
Royal
Earlier this year, Royal ransomware was used in attacks targeting healthcare entities in Illinois, Kentucky, and Tennessee. In addition to the ransom demands, the threat actors behind the attacks stole patient data. Some of the data was shared on Royal’s data leak site.
IOCs
At this time, information regarding which ransomware families were used in the recent attacks has not been made publicly available. This is likely due to the potentially sensitive nature of information affected by the attacks, ongoing containment and mitigation efforts, and ongoing law enforcement investigations. PolySwarm analysts are monitoring for additional information on these attacks, as well as associated samples. If further information regarding the attacks becomes publicly available, PolySwarm will provide an update to this threat bulletin with additional details and relevant samples included.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
