Verticals Targeted: Healthcare
Executive Summary
Multiple incidents in the last few months highlight the ongoing threats to the Healthcare vertical. These incidents have included data leaks, data theft and extortion, ransomware, and other cyber attacks.
Key Takeaways
- Recent threats to the healthcare vertical include data leaks, data theft and extortion, and ransomware.
- Ransomware can lead to the disruption of vital healthcare systems, resulting in interrupted patient care.
- Both stolen and unintentionally leaked healthcare data can be used for extortion, social engineering, fraud, and identity theft.
Earlier this year, we reported on Maui and Quantum, two ransomware families used to target the healthcare sector. Disruptions to healthcare entities due to ransomware can result in injury or death of patients. Ransomware attacks on US healthcare organizations have increased by 94% since last year. These attacks can result in the disruption of healthcare operations, leading to death or injury due to delayed treatments, ambulances being diverted to other facilities, and equipment failure.
Ransomware Attack on Medibank
Medibank, an Australian health insurance company, was recently the victim of a cyberattack. The company was targeted by an unspecified ransomware family. According to Medibank, the threat actors accessed 10 million records with customer information, including names, birthdates, addresses, phone numbers, medicare numbers, passport numbers, health claims data, and health provider details. Medibank was forced to take systems offline to contain the threat. Medibank announced it does not plan to pay the ransom. The threat actors threatened to release the data, and recent reports state some of the data has already been leaked online.
CommonSpirit Targeted By Ransomware
CommonSpirit, the second-largest nonprofit hospital chain in the US, was recently the victim of a ransomware attack. CommonSpirit operates more than 1000 care sites and 139 hospitals, serving 21 states. They employ over 20,000 physicians and clinicians. While the ransomware used in the attack was not specified, CommonSpirit noted they had to take some systems offline to contain the incident, including patient portals and electronic health records (EHR). CommonSpirit patients reported canceled procedures, and ambulances were briefly rerouted to other facilities. A nurse noted some facilities reverted to paper charts, and some lab work was not able to be processed.
Daixin Team Targets Healthcare with Ransomware and Data Extortion
CISA, HHS, and the FBI recently released a joint cybersecurity advisory warning the healthcare vertical of Daixan Team, a threat actor group known for ransomware and extortion. According to the advisory, Daixan Team has been targeting the healthcare vertical since at least June 2022. The group has deployed the ransomware, encrypting servers and impacting electronic health records services, diagnostics services, imaging services, and intranet services. They have also exfiltrated PII and patient health information, using the data for attempted extortion. The advisory states Daixan Team obtains initial access to victim networks using VPN servers. The group moves laterally using SSH and RDP. They use credential dumping and pass the hash to obtain privileged account access. The group’s ransomware is based on Babuk Locker.
Data Theft
Threat actors can potentially use stolen PII and healthcare data for extortion, social engineering, fraud, and identity theft. Sometimes data theft is used in conjunction with a ransomware attack for double or triple extortion, with the threat actors threatening to leak or sell stolen data if the ransom is not paid.
Hacker Steals Mental Health Patient Data
Nedap, a Dutch technology company, operates the recently breached Carenzorgt portal. The portal is used by over 9000 healthcare providers and has almost half a million active users. A threat actor stole mental health patient data obtained via unauthorized access during the breach. Authorities were reportedly able to catch the culprit responsible for this attack, and the threat actor did not get a chance to sell or leak the data. However, threat actors have been known to use mental health data for extortion. In 2020, Vastaamo, a Finnish mental healthcare provider, was breached. The threat actors who stole the data used it to extort thousands of vulnerable patients for ransom, threatening to publicly release patient records if the ransom was not paid. One victim feared the notes from his past sessions with a therapist would be leaked, including notes related to his drug use, family tension, and self-harm. These incidents highlight the potential for mental health patient data to be used to extort or inflict reputational damage on an individual.
Data Leaks
Data leaks, even when unintentional, can lead to privacy violations and misuse of patient information. Unintentionally leaked data, in the wrong hands, can be used for the same malicious purposes as stolen data.
Advocate Aurora Health Data Leak Due to Webtrackers
Advocate Aurora Health (AAH), a hospital network serving Wisconsin and Illinois, owns 27 hospitals and employs around 32,000 healthcare professionals. The company was recently impacted by an accidental data leak. A tracking code on the company’s websites potentially leaked the information of three million patients to Meta, Google, and other third parties. AAH used the analytics code on its portals to track customer engagement. Leaked data included patient names, IP addresses, appointment information, provider details, digital messages, insurance data, and account information. While no threat actors intercepted the data, it is now in possession of Big Tech companies, posing a privacy concern. AAH has now removed the tracking code from its website. However, this incident provides a warning of how mishandled data can potentially create privacy violations and potentially allow unscrupulous entities such as threat actors to obtain sensitive information. Novant Health, Atrium Health Carolinas Medical Center, Duke University Hospital, and WakeMed experienced similar data leaks due to tracking pixels earlier this year.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports