The ever-evolving Rhysida ransomware group has reportedly claimed responsibility for the cyberattack on Prospect Medical Holdings, which earlier this month experienced attacks at hospitals and medical facilities in four states that forced the company to take their systems down.
Rhysida claims to have stolen 1 terabyte of documents and a 1.3 terabyte SQL database that contains 500,000 Social Security numbers, corporate documents, and patient records. The group said it threatens to sell Prospect Medical’s allegedly stolen data for 50 Bitcoins, worth about $1.3 million.
News of Rhysida claiming responsibility for the attack on Prospect Medical follows a warning earlier this month by the Department of Health and Human Services (HHS) that Rhysida was behind recent attacks on healthcare organizations.
HHS describes Rhysida as a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. HHS said group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach a target’s networks and deploy their payloads. The group then threatens to publicly distribute the exfiltrated data if the victim does not pay the ransom.
While Rhysida is still in early stages, as indicated by the lack of advanced features and the program name Rhysida-0.1, HHS noted that the ransomware also leaves PDF notes on the affected folders, instructing victims to contact the group via their portal and pay in Bitcoin.
Rhysida’s victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors. However, they have recently attacked the healthcare and public health sector, as exemplified in that attack on PMH.
Rhysida is not the first ransomware gang to take credit for an attack, said Emily Phelps, director at Cyware.
“There is still much we don't know about this threat group, but as a fairly young group, they likely publicly take credit to garner support and grow their operations,” said Phelps.
A spokesperson for First Health Advisory said publicly claiming the cyberattack on PMH doesn’t really change the impact of the outages or the health system’s responsibility under the Health Insurance Portability and Accountability Act (HIPAA). If patient data was indeed compromised or exfiltrated, PMH will have up to 60 days from discovery to notify patients and regulators under HIPAA, said First Health Advisory.
However, First Health Advisory said the Rhysida group’s claims may put pressure on PMH to release a public response before that timeline. The trouble with public pressure is that PMH may still be working to understand the threat, how the actors got in, and just what data was compromised. While expeditious response may quell public outcry temporarily, network defenders understand that the complexity of the healthcare infrastructure means investigations take time — as will the answers to these questions. Rather than pressuring the health system to respond to the claims of cybercriminals, First Health Advisory said what’s most pressing is understanding the pervasiveness of these actors and their typical tactics.
Krishna Vishnubhotla, vice president of product strategy at Zimperium, added that regulations such as HIPAA and HITRUST have been in place for years. Yet, Vishnubhotla said we continue to see constant ransomware attacks and data leaks losing millions of PII and PHI records.
“Either there are loopholes that exempt providers from it, or the consequences of violating them aren't significant enough to change their behavior,” said Vishubnotla. “In reality, both things seem to be true. Moreover, most of these regulations focus on securing backend servers and infrastructure, not the client side like mobile apps, the fastest growing entry point for attackers. Again, we see why cryptocurrencies are controversial worldwide. Crypto has some benefits, but its anonymity makes it a really good tool for laundering money and extortion. It makes it so much easier for bad actors to hide illicit activity.”
As Prospect Medical Holdings navigates this dangerous breach, it should serve as a warning for other healthcare organizations to evaluate their cybersecurity posture for weaknesses before sensitive data is exploited, whether by Rhysida or another group, said Darren Guccione, co-founder and CEO at Keeper Security.
“Healthcare organizations large and small should implement a zero-trust architecture with least-privilege access to ensure employees only have access to what they need to do their jobs,” said Guccione. “Companies should also have security event monitoring in place.
