Clarke County Hospital on Wednesday disclosed that it suffered a data breach, one month after the Royal ransomware gang claimed responsibility for the attack and used a brazen extortion tactic.
Security researchers spotted the Iowa-based critical access hospital on the Royal ransomware data leak site, where it was first listed on April 24. About a week later, security researcher Dominic Alvieri noticed that Royal operators had reposted the Clarke County Hospital (CCH) listing and were actively leaking data that included an alleged video of a patient collapsing.
CCH didn’t acknowledge an attack until May 17, when it issued a data breach notification that the attack “may have exposed” personal information of current and former patients.
“CCH has found no evidence that your information has been misused,” the hospital wrote in the notification letter. “However, it is possible that the following personal information could have been acquired by an unauthorized third party: first name, last name, address, date of birth, health insurance information, medical record number, diagnostic information, and certain health information.”
In addition, CCH emphasized that electronic medical records, Social Security numbers, banking information, credit card information and financial information were not involved in the breach.
The notification did not address the Royal ransomware claim or whether ransomware was involved at all, but it did disclose that the attack began on April 14 and forced CCH to shut off all network access. Status updates to CCH’s Facebook page at the time confirmed the network disruption.
In a Facebook post on April 14, CCH said it was “currently experiencing outages with [its] phone and internet systems” and was “working diligently to restore those services.” Hours later, another Facebook post revealed CCH had regained limited access to its phone systems, but the internet remained down. Subsequently, CCH did not post to Facebook until April 20, without any mention of the network outage — it was never addressed on social media again.
As of Monday, the CCH listing on Royal’s public data leak site, originally dated April 20, is now gone. Ransomware gangs typically list victim organizations on their sites with leaked data to pressure those organizations into paying the demanded ransom; when the victims pay the ransom, the groups remove the listings and leaked data from their sites.
CCH did not respond to TechTarget Editorial’s request for comment about the reported data leak.
Brett Callow, threat analyst at Emsisoft, confirmed that CCH was listed by Royal ransomware. “I didn’t access the data, so can’t say what was or was not posted,” he told TechTarget Editorial. “The video, if it was posted, was likely intended to get the press to shine a light on the incident, increasing pressure on CCH.”
As defense against ransomware improves and payment amounts decrease, ransomware groups are leveraging increasingly aggressive extortion tactics. In April, Alphv ransomware operators leaked conference video footage it claimed was stolen from Western Digital. Also last month, operators that claimed to be part of the AvosLocker ransomware group hacked Bluefield University’s emergency notification system and demanded payment directly from the students and staff.
In addition, this attack represents the increased risks to the healthcare sector from threat actors stealing and ransoming sensitive medical data. In February, ransomware operators threatened to leak medical information and patient images after breaching Lehigh Valley Health Network.
Arielle Waldman is a Boston-based reporter covering enterprise security news.