Hackers stole health records belonging to more than half a million individuals from a non-profit Wisconsin healthcare provider after their attempt to encrypt the organization’s systems failed.
Group Health Cooperative of South Central Wisconsin (GHC-SCW) said an overseas ransomware gang accessed its network in the early hours of Jan. 25.
The organization’s IT department was able to isolate and secure the network, thwarting the encryption attempt, but a subsequent investigation revealed data relating to 533,809 individuals were copied.
The BlackSuit ransomware group claimed responsibility for the attack in a posting on its dark web leaks site last month.
GHC-SCW, which provides healthcare and health insurance services to over 80,000 members, said it was contacted by the alleged extortionists, but it has not publicly confirmed who they are.
“The PHI that the attacker stole may have included name, address, telephone number, e-mail address, date of birth and/or death, Social Security number, member number, and Medicare and/or Medicaid number,” the organization said in a breach notification on its website.
On its leak site, BlackSuit claimed to also be in possession of employee data, along with financial and managerial documents stolen from the member-owned organization.
Systems hardened, no word on ransom payment
GHC-SCW informed the U.S. Department of Health and Human Services and state authorities of the breach, and has written to affected parties.
“As part of our response effort, we reported the incident to the Federal Bureau of Investigation (FBI) and hired outside cyber incident response resources to assist us in restoring and verifying the security of our network and systems, and to investigate the attack,” the Madison, Wisconsin-based organization said.
“These resources successfully allowed GHC-SCW to bring our systems back online methodically and safely.”
GHC-SCW has not disclosed whether a ransom has been paid but said there was “no indication that information has been used or further disclosed”.
“To reduce the risk of this happening again, we have implemented enhanced security measures across all our systems and networks. This includes strengthening existing controls, data backup, user training and awareness, and other measures.”
The BlackSuit ransomware gang was first observed by researchers in May and is believed to be a spinoff of Royal, a notoriously prolific group that extorted more than $275 million from over 350 victims.
From the encryption frying pan to the extortion fire
Erich Kron, security awareness advocate at KnowBe4, said while it was fortunate the IT disruptions at GHC-SCW were minimal, the theft of data gave the criminals “one of the more powerful forms of leverage that current ransomware gangs have” when negotiating an extortion payment with a victim.
“By promising not to leak the information publicly, they can often get organizations to pay up in an effort to avoid potential lawsuits and other issues related to the theft of the data,” he said.
Tamara Kirchleitner, senior intelligence operations analyst at Centripetal, said healthcare organizations were prime targets for cybercriminals due to the sensitive nature of the data they hold and the potential disruption attacks can have on life-saving care.
“Healthcare data is a valuable target for cybercriminals, and organizations must prioritize cybersecurity to protect their patients and critical operations,” she said.
Prominent U.S. healthcare-related cybersecurity incidents that have come to light so far in 2024 have included the widely disruptive ransomware attack against Change Healthcare and the potential breach of more than 800,000 patient records from City of Hope, a Californian-headquartered cancer treatment and clinical research organization.
