REvil Target: University Medical Center of Southern NevadaRansomware Group Posts Stolen Data
The University Medical Center of Southern Nevada acknowledged it had been the victim of a cyberattack after a newspaper discovered stolen data had been posted on the darknet site of the ransomware-as-a-service gang REvil, also known as Sodinokibi and Sodin.
The Las Vegas Review-Journal reported that UMC issued a statement acknowledging it had been the victim of a cyberattack after the newspaper viewed images posted on the REvil website.
The newspaper reported that the images apparently stolen in the UMC incident included Nevada driver’s licenses, passports and Social Security cards of about a half-dozen apparent victims.
Brett Callow, a threat analyst at security firm Emsisoft, confirmed to Information Security Media Group that REvil has listed UMC as a victim on its darknet site, "posting screenshots of allegedly stolen data as described by the Review-Journal. How much data was stolen and its nature is something only REvil and, possibly, UMC will know."
REvil often posts samples of stolen data on its website to "name and shame" its victims in hopes of getting them to pay a ransom to prevent the publishing of more data.
In a statement, UMC says its cybersecurity team in mid-June detected "suspicious activity" on the hospital’s computer network and responded by immediately restricting external access to UMC servers.
"While the hospital continues to work with law enforcement to fully investigate this activity, UMC believes cybercriminals accessed a server used to store data," UMC says in the statement.
"This type of attack has become increasingly common in the healthcare industry, with hospitals across the world experiencing similar situations."
UMC says there is no evidence that any clinical systems were accessed during the attack.
"UMC continues to work alongside the Las Vegas Metropolitan Police Department, the FBI and cybersecurity experts to determine the exact origin and scope of the attack. The investigation will provide valuable information to help prevent similar security issues in the future."
UMC’s IT division acted swiftly to identify the suspicious activity and secure the hospital’s network, the organization states. "This internal response resulted in minor, intermittent computer login issues for some UMC team members. While these login issues were certainly inconvenient, there have been no disruptions to patient care or UMC’s clinical systems."
Although UMC says it "has no reason to believe cybercriminals accessed any clinical systems," the hospital says it will notify patients and employees that their personal information may be at risk.
The organization will provide affected patients and staff with access to free identity protection and credit monitoring services.
A UMC spokesman tells ISMG that there have been no disruptions to patient care or UMC’s clinical systems tied to the incident.
UMC did not respond to ISMG's request for additional details, such as whether it paid a ransom to the attackers.
As of Thursday, UMC had not yet posted on its website a notification statement about its recent cyberattack. The incident also was not yet posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
But the Las Vegas healthcare organization's site provides a link to a notification statement about an apparently separate data breach affecting UMC data involving revenue cycle services vendor Med-Data.
The Med-Data incident, disclosed by the vendor in April, involved an employee who sometime between December 2018 and September 2019 uploaded files containing patient data to the public-facing, open-source software development hosting website GitHub.
Med-Data reported the incident on April 1 to the HHS Office for Civil Rights as a breach affecting nearly 136,000 individuals.
Several of Med-Data's healthcare clients - but apparently not UMC - have issued their own individual breach notification statements about the incident.
Other Healthcare Attacks
Among other recent ransomware attacks in the healthcare sector, San Diego-based Scripps Health in early May suffered an attack that disrupted access to patients' electronic medical records and other clinical systems for several weeks.
At least four lawsuits seeking class action status have been filed against Scripps Health so far in the aftermath by patients whose information or care was allegedly affected (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).
Also, on June 25, Northwestern Memorial HealthCare in Chicago reported to HHS a hacking incident affecting more than 201,000 individuals.
In a breach notification statement, the healthcare system said that incident was tied to a recent cyberattack on Elekta, which provides a cloud-based platform to facilitate legally required cancer reporting to state regulators (see: Attack on Radiation Systems Vendor Affects Cancer Treatments).
Sweden-based Elekta has not disclosed whether the incident involved ransomware. Several of its U.S.-based healthcare clients, including Yale New Haven Health in Connecticut, were affected by the incident.
"Attacks on healthcare and other critical infrastructure seem to be continuing at much the same rate as ever, which really isn’t surprising," Callow says. "Ransomware is so profitable that solving the problem will not be quick and easy."