BlackCat Leaking Patient Data and Photos Stolen in Attack
Fraud Management & Cybercrime , Healthcare , Industry Specific
Russia-Linked RaaS Group Attacked Pennsylvania Healthcare Group Last Month Marianne Kolbasuk McGee (HealthInfoSec) • March 6, 2023 Image: Shutterstock
Russian-speaking ransomware gang BlackCat is leaking data stolen from a Pennsylvania-based healthcare group, including photos of breast cancer patients.
See Also: OnDemand | Navigating the Difficulties of Patching OT
On Saturday, the ransomware group posted on its dark leak site a message taunting Lehigh Valley Health Network. “We have been in your network a long time and have had time to study your business,” the group wrote. “We have stolen you confidential information and are ready to publish it.”
Images posted by the criminal gang include screenshots of patient diagnoses of a handful of patients and pictures of breast cancer patients disrobed from the waist up.
“This is the first time I can recall photos purportedly of patients being prominently displayed on a leak site, and the escalation may be due to the fact that fewer victims are now paying,” says Brett Callow, threat analyst at security firm Emsisoft.
Security researchers have concluded that the rate of ransomware attacks appears to have remained constant over the past three years, but fewer victims are willing to pay extortion demands (see: Ransomware Profits Dip as Fewer Victims Pay Extortion).
“As the criminals find it harder and harder to monetize attacks, their tactics will inevitably become more and more extreme,” Callow says.
Brian Nester, president and CEO of Lehigh Valley Health Network, which operates 13 hospitals and numerous clinics and physician practices in eastern Pennsylvania, on Feb. 22 acknowledged the attack by BlackCat in a public statement.
Nester said the organization’s initial analysis shows that the incident involved a computer system “used for clinically appropriate patient images for radiation oncology treatment and other sensitive information” (see: Pennsylvania Health System CEO Confirms BlackCat Attack).
BlackCat demanded a ransom payment, but LVHN refused to pay, Nester said in the statement.
On Feb. 6, LVHN’s IT team detected unauthorized activity within its IT system, Nester said. As of his Feb. 22 statement, the incident had not caused any disruption to the healthcare organization’s systems.
“Based on our initial analysis, the attack was on the network supporting one physician practice located in Lackawanna County,” Nester said.
Lehigh Valley Health Network did not immediately respond to Information Security Media Group’s request on Monday for comment.
These latest BlackCat incidents come on the heels of a January alert by the U.S. Department of Health and Human Services warning healthcare sector about growing threats involving BlackCat (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).
The BlackCat ransomware-as-a-service group has demanded ransom payments as high as $1.5 million, and affiliates keep 80% to 90% of the extortion payments.
Electronic health records vendor NextGen Health and pharmacy management services firm PharmaCare Services were also purportedly among recent healthcare sector victims listed on BlackCat’s leak data site (see: 2 Vendors Among BlackCat’s Alleged Recent Ransomware Victims).
As ransomware and other cybercriminal groups such as BlackCat continue to target healthcare sector entities, it is critical for organizations to heighten their defenses, says Frank Catucci, chief technology officer and head of research at security firm Invicti Security.
“Keep systems scanned, patched and updated as much as possible. Possibly even segregate any systems or networks with potentially sensitive data and enable multifactor authentication whenever possible,” he says.
“Anytime a criminal can use an additional pressure tactic or angle to extort money, they will likely take advantage of that.”