Rhysida claims ransomware attack on Prospect Medical, threatens to sell data


The Rhysida ransomware gang has claimed responsibility for the massive cyberattack on Prospect Medical Holdings, claiming to have stolen 500,000 social security numbers, corporate documents, and patient records.

The attack is believed to have occurred on August 3rd, with employees finding ransom notes on their screens stating that their network was hacked and devices encrypted.

Prospect Medical Holdings (PMH) is a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers.

The cyberattack caused the hospitals to shut down their IT networks to prevent the attack’s spread, forcing hospitals back to using paper charts.

While PMH did not respond to queries about the security incident, BleepingComputer later learned that the Rhysida ransomware gang was behind the attack.

Ransom note shown on Prospect Medical Holding's devices
Ransom note shown on Prospect Medical Holding’s devices
Source: BleepingComputer

Since then, PMH hospital networks, such as CharterCare, now state that systems are up and running again but are still restoring patient records.

“Work to input paper patient records used by our caregivers while our systems were down into our electronic medical record (EMR) system is ongoing,” reads a notice on CharterCare.org.

However, BleepingComputer was told there had been no communication to employees about whether their data was stolen in the attack.

Rhysida claims attack

Rhysida is a ransomware operation that launched in May 2023 and quickly rose to notoriety after attacking the Chilean Army (Ejército de Chile) and leaking its data.

Earlier this month, the US Department of Health and Human Services (HHS) warned that the Rhysida gang was behind recent attacks on healthcare organizations.

Now, the Rhysida ransomware gang has claimed the attack on Prospect Medical Holdings, threatening to sell the company’s allegedly stolen data for 50 Bitcoins (worth $1.3 million).

The threat actors claim that they stole 1 TB of documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver’s licenses, corporate documents, and patient’s medical information.

“They kindly provided: more than 500000 SSN, passports of their clients and employees, driver’s licenses, patient files (profile, medical history), financial and legal documents!!!,” reads the Rhysida data leak site.

The gang’s data leak site also shared numerous screenshots of driver’s licenses, social security cards, documents, and what appears to be patients’ medical information.

Some screenshots showed leaked documents containing letterhead for Eastern Connecticut Health Network, one of PMH’s hospital networks.

BleepingComputer has contacted PMH with questions about the leaked data but has not received a response at this time.



Source link