Posted on August 30, 2023 at 10:22 AM
Stolen Data Threat: Rhysida Ransomware Gang Targets Prospect Medical Holdings
Recently, Prospect Medical Holdings suffered a massive cyberattack that allegedly stole around 500,000 social security numbers. In addition, the hackers also managed to get away with patient records and even some corporate documents. Since then, a ransomware gang called Rhysida has stepped up to claim responsibility for the breach.
Details about the attack
Researchers believe that the attack happened earlier this month, on August 3. Around this time, the company’s employees started finding ransom notes on their screens. The notes said that their network had been hacked, and all devices connected to it were encrypted.
This is how a typical ransomware attack works — hackers identify a network, breach its security, and encrypt the devices, while along the way, they also might try to steal any information deemed valuable and sell it to others who might have some use for it. Meanwhile, the owners of the targeted network are notified that they have to pay a certain amount in order to get the decryption key and unlock their files.
As for Prospect Medical Holdings, this is a healthcare company based in the United States, which operates 16 hospitals across different states, including California, Pennsylvania, Rhode Island, and Connecticut. In addition to these 16 establishments, the company also has a network of 166 outpatient centers and clinics.
Hospitals took down their networks to stop the attack
After the attack took place, most of these hospitals ended up shutting down their IT networks. Their goal was to try to prevent the attack from spreading further. However, by shutting down their own networks, they were forced to return to using paper charts.
Initially, Prospect Medical Holdings did not comment on the event. However, researchers learned that the group behind the attack was the Rhysida ransomware gang. It has been almost a full month since the attack, and there has been some progress in restoring the networks.
For example, CharterCare, which is one of the hospital networks, now say that the systems are up and running once more. However, they are still working on restoring the patients’ records. A notice published on CharterCare.org reads: “Work to input paper patient records used by our caregivers while our systems were down into our electronic medical record (EMR) system is ongoing.”
So far, however, the employees were kept from knowing whether any amount of data was stolen during the breach.
What is Rhysida?
The attack was conducted by a ransomware group calling itself Rhysida. The gang launched its operation in May 2023, and it became highly infamous quickly after attacking the Chilean Army. The attack was successful, and the hackers ended up leaking the stolen data, earning them quite a reputation in the world of online security.
Earlier in August, the US Department of Health and Human Services (HHS) warned against the gang, claiming that Rhysida was responsible for recent attacks on healthcare organizations. The gang has confirmed it by openly claiming responsibility for Prospect Medical Holdings. Furthermore, it is threatening to sell the stolen data, which allegedly consists of 1 TB of documents and a 1.3 TB SQL database containing the stolen social security numbers, driver’s licenses, passports, patients’ medical data, corporate documents, and similar sensitive data.
The gang wants 50 Bitcoin (BTC) in return, which is worth approximately $1.35 million, based on the coin’s price at the time of writing ($27,170).
The hackers provided the content of stolen data themselves on their data leak site, stating: “They kindly provided: more than 500000 SSN, passports of their clients and employees, driver’s licenses, patient files (profile, medical history), financial and legal documents!!!”
In addition to that, the group’s data leak website also shared screenshots of multiple driver’s licenses and other documents stolen during the attack. Some of these screenshots also contain letterhead for Eastern Connecticut Health Network, one of the hospital networks belonging to PMH.
Despite numerous requests for information and comments, PMH has not responded with either at this time.