Recently, Prospect Medical Holdings fell victim to a massive cyberattack that is believed to have stolen around 500,000 social security numbers. In addition, hackers also managed to make off with patient records and even some corporate documents. Since then, a ransomware group called Rhysida has claimed responsibility for the breach.
Details of the attack
Researchers believe the attack occurred at the beginning of the month, on August 3. At that time, the company’s employees began to find ransom notes on their screens. These notes indicated that their network had been hacked and that all devices connected to it were encrypted.
Here’s how a typical ransomware attack works: hackers identify a network, breach its security and encrypt devices, while trying to steal information deemed valuable and sell it to others who might have use for it. Meanwhile, the owners of the targeted network are informed that they must pay a certain sum to obtain the decryption key and unlock their files.
Prospect Medical Holdings is a US-based healthcare company operating 16 hospitals in various states, including California, Pennsylvania, Rhode Island and Connecticut. In addition to these 16 facilities, the company also has a network of 166 outpatient centers and clinics.
Hospitals shut down their networks to stop the attack
After the attack, most of these hospitals ended up shutting down their computer networks. Their aim was to try and prevent the attack from spreading further. However, by shutting down their own networks, they were forced to revert to using paper records.
Initially, Prospect Medical Holdings did not comment on the event. However, researchers learned that the group behind the attack was the Rhysida ransomware gang. Almost a month has passed since the attack, and progress has been made in restoring networks.
For example, CharterCare, which is one of the hospital networks, today claims that the systems are operational again. However, they are still working on restoring patient records. A notice published on CharterCare.org reads as follows: “Work to introduce into our electronic medical record (EMR) system the paper patient records used by our caregivers while our systems were down is continuing.”
To date, however, employees have been unable to ascertain whether any data had been stolen during the breach.
The attack was carried out by a ransomware group calling itself Rhysida. The gang launched its operation in May 2023 and quickly gained notoriety by attacking the Chilean army. The attack was successful and the hackers eventually leaked the stolen data, earning them quite a reputation in the online security world.
In early August, the US Department of Health and Human Services (HHS) issued a warning against the gang, claiming that Rhysida was responsible for recent attacks on healthcare organizations. The gang confirmed this, openly claiming responsibility for Prospect Medical Holdings. In addition, it threatens to sell the stolen data, which reportedly consists of 1TB of documents and a 1.3TB SQL database containing social security numbers, driving licenses, passports, patient medical data, corporate documents and other sensitive data.
The gang wants 50 bitcoins (BTC) in return, which is worth around $1.35 million, based on the coin’s price at the time of writing ($27,170).
The hackers themselves provided the contents of the stolen data on their data leak site, stating, “They kindly provided: over 500,000 SSNs, customer and employee passports, driver’s licenses, patient records (profile, medical history), financial and legal documents!!!”
In addition, the group’s data leak website also shared screenshots of several driver’s licenses and other documents stolen during the attack. Some of these screenshots also contain letterhead from Eastern Connecticut Health Network, one of the hospital networks owned by PMH.
Despite numerous requests for information and comment, PMH has not responded to any of these requests at this time.