Healthcare sector targeted by ransomware attacks
Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.
The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.
In a recent advisory on ransomware operator Black Basta Team, U.S. authorities warned the healthcare sector in particular.
The FBI, the CISA agency, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) pointed out that healthcare organizations are targets of interest to cybercriminals because of their size, technological dependence, access to personal health information, and unique impacts from disruptions in patient care.
The double extortion suffered by Change Healthcare
In 2024, more than 100 ransomware attacks were claimed against this sector worldwide. One of the most important cases involved Change Healthcare, a division of UnitedHealth Group, a leader in healthcare technology.
In February, the company confirmed that it had been hit by a ransomware attack, later claimed by the adversary ALPHV Team, also known as BlackCat. The breach allegedly led to the exfiltration of information related to millions of people and also affected the operations of numerous hospitals, healthcare workers and pharmacies.
According to some sources, a ransom of $22 million was paid in March, which, however, did not avert the risk of disclosure of the stolen data.
To make matters worse, in fact, in mid-April another adversary returned to blackmail Change Healthcare. RansomHub allegedly posted on its leak site an ad for the sale of information belonging to the company. As proof of the authenticity of the material, the criminal group allegedly released some billing files, medical records, and medical information referable to patients, but also contracts and agreements made by the company with its partners.
Deeming a sequence of two different breaches in such a short time implausible, some analysts have advanced the hypothesis that Change Healthcare was involved in a dispute among ALPHV Team members. Some of them allegedly did not share the loot with all of the affiliates, leading some of them to associate with another ransomware group, taking the information with them.
Some Italian victims
In Italy, several incidents have primarily impacted public healthcare companies but also private diagnostic centers and manufacturers of medical instrumentation and devices.
The adversary Qilin Team claimed compromises to private companies that supply high-tech medical instrumentation and devices. In addition, a private network of diagnostic centers and outpatient clinics located throughout the country was targeted.
The attack suffered in January by the Basilicata Regional Health Service resulted in the blocking of Internet access and corporate e-mail and the breach of personal data of users and employees. The compromise reportedly spread among the Regional Health Service entities, whose computer networks are communicating for the management of some applications, involving the Health Authorities of Matera and Potenza, the San Carlo Regional Hospital of Potenza, the Scientific Hospitalization and Care Institute of Rionero in Vulture, and the Basilicata Region.
In February, ransomware operator Rhysida Team reported on its leak site that it had hit ASP Basilicata, ASM Matera, and IRCCS CROB (Istituto di Ricovero e Cura a Carattere Scientifico) and offered the stolen data for sale at a price of 15 BTC (about 727,000 euros).
Investigations revealed that the stolen data, both medical and administrative, mainly involved patients and operators. However, thanks to the backup copies that all companies and the region make, no personal data was lost, nor were the most important documents, such as health files and medical records, altered.
Telsy and TS-WAY
TS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.
Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.
TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, technology, and by government and military organizations that have used the services of this Italian company over time.
TS-WAY’s Services and Solutions
With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.
Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.
Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.
TS-Intelligence
TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.
It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.
Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.
Learn more about TS-WAY’s services.