Extortionists Publish Data Stolen from Two Healthcare Service Providers

An attacker group published information stolen from two healthcare service providers in a reported attempt to extort them for money. On February 5, NBC News reported that a well-known ransomware group had published tens of thousands of files to a data leaks website on the dark web. Among those files were scanned diagnostic results, letters to health insurers and a folder containing background checks on employees.

The leaked files originated from Leon Medical Centers, which maintains eight locations in Florida, and Nocona General Hospital, which serves Texans at three locations. Leon Medical Centers announced in January 2021 that it had learned it was the target of a malware incident back in November 2020. The healthcare services provider responded by taking its affected systems offline and working with digital security experts to launch an investigation into what had happened.

In the process, Leon Medical Centers learned that those responsible for the malware attack had gained access to some files containing personal information including names, Social Security Numbers, financial details, health insurance data and medical records.

It went on to report the incident to the Office for Civil Rights at the U.S. Department of Health and Human Services, claiming that the malware attack had affected 500 individuals.

“Threat actors are becoming more brazen in their attempts to extort hospitals, and many groups are now threatening to post sensitive information if ransoms aren't paid,” noted Sam Curry, CSO at Cybereason. 

“The tactics used by cyber criminals vary from attack to attack, but at the same time that sensitive data is being posted to the dark web, some criminals are also encrypting the critical files used by doctors and nurses to administer medicine and patient care. This creates a double whammy for hospitals, putting more patients into life-threatening situations.”

That’s not what appeared to happen to Nocona General Hospital, however. At the time of writing, for instance, the Office for Civil Rights portal didn’t have any data about an incident at Nocona. NBC News also reported that it appeared that Nocona had not been a victim of ransomware. 

If it had, it looked as though the attackers had taken the unusual step of publishing the organization’s information before using malware to encrypt its data and demand a ransom payment, NBC indicated.

Bryan Jackson, an attorney representing Nocona, confirmed this in a phone call with NBC: "I can't tell you with absolute certainty that they did not send a ransom demand," he said. "I can tell you we did not open one."

There was no statement regarding data theft or ransomware on Nocona’s site as of this writing.

Putting These Attacks in Context

The two attacks discussed above come at a time when ransomware actors are increasingly directing their efforts to targeting healthcare organizations. For a time, it seemed like it was going to be the opposite.

Bleeping Computer reported in March 2020 how several ransomware gangs had indicated that they would not target healthcare service providers during the Coronavirus (COVID-19) pandemic. Not only did many of those attackers break their word soon afterward, but some also ramped up their efforts to deploy their malware payloads more quickly on hospital networks. 

As reported by the Wall Street Journal, nefarious individuals did this because they knew that their victims needed their information to operate during the COVID-19 crisis. Hence they would be more likely to quickly satisfy the full ransom demand, the attackers reasoned.

This activity became so prevalent in 2020 that the Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning of an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” in October of 2020. Ultimately, ransomware actors succeeded in targeting 560 healthcare institutions over the span of 2020, wrote Emsisoft.

Curry wrote that these digital attackers deserve to be punished but noted they likely won’t. 

“Let’s not be fooled into having any compassion or sympathy for threat actors that are deliberately and recklessly attacking hospitals during a pandemic—or any time, for that matter,” Curry explained. 

“Targeted cyber espionage campaigns or any attack on organizations on the front lines of the healthcare industry could be considered acts of war. The criminals behind these latest attacks should be brought to justice and into a courtroom to face a jury of their peers. Unfortunately, these attacks could very well originate on foreign soil, and it's very unlikely anyone will be arrested.”

How to Help Healthcare Institutions Defend Against Ransomware

What happened in 2020 highlights the need for healthcare organizations to defend themselves against a ransomware attack. The only way they can do that is by taking a proactive approach to their digital security postures - and Curry agrees with that assessment.

“While no hospital will prevent motivated and skilled cyber criminals from accessing a network they have their sights set on, they can dramatically reduce risk and minimize damage by constantly threat hunting in their networks to discover malicious acts fast with the singular goal of reversing the adversary advantage and returning the advantage to cyber defenders,” he said.

Healthcare organizations can do this by partnering with Cybereason to move beyond the limitations of retrospective Indicators of Compromise (IOCs) by leveraging the subtle Indicators of Behavior (IOBs) as a means to detect the earliest stages of an attack before it escalates to the level of a serious breach event. 

The Cybereason Defense Platform automatically detects and stops ransomware within seconds through a combination of threat intelligence, deception techniques, behavioral analytics and machine learning. Talk to a Cybereason Defender today to learn more.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson