LockBit Ransomware Group Behind Capital Health Cyberattack
Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.
Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.
Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.
Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Lawsuit Filed Over Capital Health Cyberattack
The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.
The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.
