Multiple Healthcare Providers Affected by Thanksgiving Ransomware Attack
Cyber actors often time their attacks to coincide with holiday periods when IT staffing levels are likely to be reduced to increase the probability of being able to access networks and exfiltrate data undetected, especially during Thanksgiving weekend. This year is no exception. Several healthcare providers have announced that they are currently investigating potential cyberattacks that were detected on or just before Thanksgiving Day. Initially, the cause of the outages was unclear but it has since been determined that this was a ransomware attack on Ardent Health Services. At such an early stage in the investigations, it is unclear if patient data has been exposed or stolen.
UT Health East Texas, Texas
Tyler, TX-based UT Health East Texas, the operator of 10 hospitals and more than 90 healthcare clinics in East Texas, has confirmed that it experienced a network outage on Thursday, November 24, 2023. Steps were immediately taken to lock down its network to prevent any further unauthorized access. Without access to critical IT systems, ambulances were put on divert; however, care continues to be provided to patients with the health system operating under established downtime procedures. A statement was issued by a UT Health East Texas spokesperson saying network access is expected to be restored in around 24-36 hours, although it is currently unclear if that has happened.
Portneuf Medical Center, Idaho
Portneuf Medical Center in Pocatello, IA, has launched an investigation into a possible cyberattack and data breach that was detected on November 24, 2023. The attack resulted in a network outage, and the decision was taken to put the emergency room on divert status until access to its network was restored. The medical center is operating under established downtime procedures and says patient care has been unaffected.
BSA Health System, Texas
BSA Health System in Amarillo, TX, said it experienced an outage on November 24, 2023, and implemented its emergency downtime procedures with its staff using paper records while systems are out of action. The decision was also taken to temporarily divert ambulances to other nearby medical facilities. An investigation has been launched into the cause of the outage and systems will be brought back online when it is safe to do so.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Lovelace Health System, New Mexico
Lovelace Health System in Albuquerque, NM, experienced an outage on November 24 and implemented its downtime procedures. Without access to IT systems, the staff recorded patient data using pen and paper and its emergency room was placed on divert and patients were rerouted to alternative healthcare facilities. The decision was also taken to cancel some non-urgent elective surgeries, which will be rebooked when systems have been restored. The outage has affected all Lovelace Health System centers in the state.
Hillcrest HealthCare System, Oklahoma
Hillcrest HealthCare System in Tulsa, OK, has reported an outage that was detected on Thanksgiving Day and has launched an investigation into a possible cyberattack. The incident took down parts of its network and prevented access to patient records in the MyChart system. The health system has implemented emergency downtime procedures while the attack is investigated and systems are restored. A spokesperson for the health system said patient care has not been affected but some emergency rooms have been placed on divert until systems are restored as a precaution.
Hackensack Meridian Health, New Jersey
The New Jersey health system, Hackensack Meridian Health, was also affected by the attack on Ardent Health Services. The attack caused disruption at Hackensack Meridian Mountainside Medical Center in Montclair and Hackensack Meridian Pascack Valley Medical Center in Westwood. Both medical centers took the decision to divert patients to other nearby emergency rooms as a precaution to ensure that emergency patients had immediate access to the highest level of care. Both medical centers are following established downtime protocols and are using paper records while IT systems are offline and they are working to bring their systems back online. Chiara Marababol, administrative director of Marketing & Public Relations for Hackensack Meridian Mountainside Medical Center, said there has been no adverse impact on patient care and no other facilities have been affected as they operate on a separate network.
University of Kansas Health System St. Francis Campus, Kansas
University of Kansas Health System St. Francis Campus in Topeka, KS, experienced a network outage on Thanksgiving Day and has launched an investigation into a possible cyberattack. Care continues to be provided to patients, although ambulances are being diverted to alternative facilities. The health system has established downtime procedures that have been implemented while systems are offline and cybersecurity experts have been engaged to assess the impact of the outage and ensure its systems are secured. They will be brought back online when it is safe to do so.
Three Healthcare Providers Added to Hacking Group Data Leak Sites
Three healthcare providers have recently been added to the data leak sites of hacking groups.
Vanderbilt University Medical Center, Tennessee
Vanderbilt University Medical Center (VUMC), which operates seven hospitals and many healthcare facilities in and around Nashville, TN, has confirmed an investigation has been launched into a recent cyberattack. While the nature of the cyberattack has not yet been disclosed, VUMC has confirmed that a database was compromised in the attack, although the preliminary results of the investigation indicate neither patient nor employee data were stolen in the attack.
On November 24, 2023, VUMC was added to the Meow Leaks data leak site, along with 7 (non-healthcare) victims. The listing indicates the attack occurred on November 2, 2023, and the group claims to have 100% leaked the stolen data and has threatened to hack VUMC again if the ransom is not paid.
Crystal Lake Health Centers, Michigan
Crystal Lake Health Centers, the operator of 11 health centers in Michigan, has recently been added to the Hunters International data leak site. The listing includes a sample of 47.5 MB of data as evidence of the attack, and the group claims to have exfiltrated 120 GB of data in total including patient information such as contact details, SSNs, and insurance data. Hunters International is primarily a data theft and extortion group; however, has recently acquired the infrastructure and source code of the now-defunct Hive ransomware group.
Granger Medical Clinic, Utah
Granger Medical Clinic in Riverton, UT, was added to the data leak site of the NoEscape ransomware group on November 24, 2023. It is not clear from the listing when the attack occurred but it appears that the clinic entered into negotiations before refusing to pay the ransom. The group claims to have infiltrated 38 GB of data and has published screenshots as proof of the attack. The NoEscape group claims to have successfully encrypted data on the network and exfiltrated employee data and patient data, including names, contact information, more than 2,000 passports, and tens of thousands of SSNs. The group demanded payment of $700,000 to prevent the release of the stone data.
The medical clinic has not yet announced the ransomware attack and data breach but has posted a notice on its website warning about emails that claim to be from Granger Medical Clinic about employment opportunities and said communications would only come from @GRANGERMEDICAL.COM, @SEND.APPLICANTEMAILS.COM, or @APPLICANTEMAIL.COM and the clinic would never ask for payment in relation to job opportunities. It is unclear if this scam is related to the ransomware attack.
