Ransomware continued to be a persistent threat in December that disrupted patient access to healthcare and affected the personally identifiable information of millions with just one attack.
TechTarget Editorial's 2023 ransomware database, which consists of publicly reported and disclosed attacks on U.S. organizations, tracked 34 victims in December. Tracking ransomware attacks continues to be difficult due to a lack of transparency and an evolution where attackers opt out of ransomware deployment to focus solely on data theft and extortion threats. Several cybersecurity companies recorded historic highs for ransomware attacks throughout 2023. One recent report by Emsisoft revealed that more than 2,000 U.S. hospitals, schools and governments were hit by ransomware in 2023 -- victims that threat actors know can't afford the downtime.
While ransomware groups continued to target healthcare organizations throughout December, victims also came from a variety of sectors including legal, IT, industrial and financial.
On Dec. 29, Massachusetts-based Transformative Healthcare issued a data breach notification for a ransomware attack that occurred in February against its subsidiary Fallon Ambulance Service. Transformative did not clarify why it took nearly one year to disclose the incident, but did say the investigation was completed on or around Dec. 27.
While Fallon closed operations in 2022, Transformative maintained a data storage archive that contained Fallon patient information including names, addresses, Social Security numbers and medical information. The notification filed to the Office of the Maine Attorney General revealed that the incident affected more than 20,000 Maine residents and nearly 1 million individuals overall. The Alphv ransomware group, whose servers were seized by the FBI last month, claimed responsibility for the attack.
Another Massachusetts healthcare organization suffered an attack on Christmas Eve. Anna Jaques Hospital staff were forced to divert emergency care to other Boston-area hospitals in the Beth Israel Lahey Health System following a cyberattack. While the FBI was contacted and emergency services resumed on Dec. 26, The Daily News reported that disruptions to the hospital's electronic health record system continued through Jan. 3.
Liberty Hospital in Missouri forced systems offline following a ransomware attack on Dec. 19, and as of Dec. 29, systems were not fully restored. In the initial disclosure, Liberty said it was experiencing a communications outage and advised patients "to seek emergency medical care at other hospital ERs at this time." An update on Dec. 28 revealed that the fallout was even more significant than initially reported.
"In collaboration with numerous EMS teams and hospitals from across the Kansas City area, Liberty Hospital swiftly transferred patients who required higher levels of care than systems were equipped to support at that time," Liberty Hospital wrote in the statement.
The latest update was posted on Dec. 29 and informed patients that an investigation into the cybersecurity incident was ongoing, as well as the effort to fully restore systems.
On Dec. 1, The Seattle Times reported an attack against the Fred Hutchinson Cancer Center in Seattle. The organization, commonly known as Fred Hutch, issued a data breach notification that expanded on the Nov. 19 ransomware attack; threat actors obtained sensitive information including names, addresses, phone numbers, email addresses, birth dates, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service, treatment information and lab results.
"Our analysis is ongoing, but we estimate approximately 1 million individuals may be affected," Fred Hutch wrote in the data breach notification.
Some of those individuals, including former and current patients, started to receive extortion threats via email, The Seattle Times reported on Dec. 8. Threat actors allegedly connected to the Hunters International ransomware group listed the patient's address, phone number and medical record number in the email, along with instructions to pay $50 to remove the information from its public data leak site. Directly extorting patients, customers and even family members of victim organizations is a more recent tactic ransomware actors use to extract payment.
Fred Hutch addressed the extortion threats and instructed patients to not pay a ransom, block the sender and delete the message. The center also revealed that attackers gained initial access by exploiting a Citrix vulnerability, which has since been fixed.
Attacks affect millions
In addition to Transformative Healthcare and the Fred Hutchinson Cancer Center, ESO Solutions Inc. also suffered a ransomware attack that affected a significant number of individuals. Based in Austin, Texas, ESO is a software provider for hospitals, emergency medical services, fire departments, and state and federal agencies. In a data breach notification filed to the Office of the Maine Attorney General on Dec. 19, ESO revealed that the incident that occurred on Sept. 28 affected 2,700,000 individuals overall. While ESO said it "detected and stopped a sophisticated ransomware incident," the data breach might have exposed names, birth dates, injury types, treatment dates, treatment types and Social Security numbers.
Another notable attack occurred against one of the largest apparel companies, VF Corporation. The attack occurred on Dec. 13 and disrupted VF's ability to fulfill orders during the holiday season. The corporation consists of Vans, The North Face, Timberland and Dickies brands.
In an 8-K form filed to the U.S. Securities and Exchange Commission on Dec. 15, VF revealed that the "threat actor disrupted the Company's business operations by encrypting some IT systems, and stole data from the Company, including personal data." No ransomware gang has claimed responsibility for the attack.
However, the same cannot be said for an attack against Heico Corporation on March 2 that was claimed by the Black Basta ransomware group. Heico did not disclose the ransomware attack until Dec. 19, though it is unclear why it took nine months to do so. The data breach notification revealed that the threat actor accessed the company's corporate servers. Heico provides aircraft, spacecraft, defense equipment, medical equipment and telecommunications systems; customers include government agencies.
"We determined that your personal information was present in the data that was stolen and posted on the dark web," Heico wrote in the data breach notification.
Aiphone Corporation, which manufactures communications systems, suffered a ransomware attack on July 22 that was disclosed in a data breach notification on Dec. 8. Based in Washington state, Aiphone manufactures access control and intercom systems for schools and other organizations. The Money Message ransomware group, which is relatively new to the threat landscape, claimed responsibility for the attack.
Arielle Waldman is a Boston-based reporter covering enterprise security news.