Barlow Respiratory Hospital has locations in California, and given how COVID has so many respiratory complications, you would imagine that they have been incredibly busy this year.
On August 27, they experienced a ransomware attack, an attack claimed by threat actors who call themselves Vice Society. The hospital responsibly posted a notice on their web site:
The statement claimed that the hospital had been prepared for a potential attack and protective systems were promptly activated. It also said:
As a result of this cyber-attack no patients were at risk of harm and our hospital operations continued without interruption.
While that sounds like great news, it should not be interpreted to mean that no employee or patient data was accessed or stolen. It appears that Vice exfiltrated a lot of files and a number of those files contain personal information, including older files with disciplinary measures taken with respect to named employees.
In fact, there were a number of older files in the data dump that suggest that the threat actors may have hit a backup server as part of their attack. As one example, there are 1,650 files with consultation notes on named patients that include their personal and medical information in multi-page reports. These 1,650 files do not represent unique patients, as there were multiple consultation reports on many of the patients, but the bulk of the reports are dated between 2001 and 2009. Were they on current servers or on a backup server?
Current files and reports were also in the dump. As a respiratory hospital that has shared its early COVID-19 findings with others, it is not surprising to find spreadsheets with information on COVID patients and their responses to treatment. But the spreadsheets contain patients’ real names and other details that make this all ePHI. No password was required to open these files after downloading them.
DataBreaches.net is not going to describe all of the kinds of files and information that were in this data dump, but Barlow Hospital may have a lot of notifications to make — to current and former employees and to current and former patients. DataBreaches.net sent Barlow an inquiry as to whether there were any triggers or alarms set off during the exfiltration of so much data, and will update this post if a response is received.
For those who are not familiar with Vice Society, thet group first emerged as Vice Society in 2021, and they quickly demonstrated that they will not only hit hospitals, but they claim to like hitting hospitals. These are the same threat actors who hit — and then dumped data from — Waikato District Health Board in New Zealand, Eskenazi Health Foundation in the U.S., and Centre Hospitalier D’Arles in France.
DataBreaches.net does not know how many other hospitals they may have hit who paid their ransom demands, and notes that not much seems to have been written about them so far in terms of how to prevent an attack by them — other than they have recently exploited the PrintNightmare vulnerability.*
Based on statements from hospitals who have recently been hit, more hospitals *are* expecting to be attacked and are trying to prepare for an attack by having an incident response plan, and that’s good news. What they do not seem to be doing yet as much, is getting old data offline or better protected so that they will not have potentially thousands of notifications to make after spending months trying to figure out what happened and whom to notify.
* See:
- Vice Society leverages PrintNightmare in ransomware attacks
- Vice Society ransomware joins ongoing PrintNightmare attacks
- Two ransomware gangs, Vice Society and Magniber, said to launch attacks via PrintNightmare