DataBreaches has never been to Milan but in researching this post, DataBreaches read the history of the Fatebenefratelli-Sacco Territorial Social Healthcare Company (ASST). Reading how it has evolved since the late 1800’s to serve the people of Milan makes it clear how vital this hospital system is to Milan and its people.
On May 5, Asst Fatebenefratelli-Sacco published a notice on their website:
Machine Translation of the text in the notice:
NOTICE: attack on company information systems
05/05/2022
On 01/05/2022 an attack was carried out on the company information systems, aimed at the infrastructures of the Fatebenefratelli and Sacco sites which impacted the functioning of all the systems at all the other company offices (Buzzi, M. Melloni and 33 Territorial offices).
The action paralyzed all company systems and attacked the basic services of the infrastructure, given the entity, scope and extension, the full operation of the systems does not currently have a definable time frame.
The Company is sorry for the impact on users.
We are working to make all company systems operational.
The hospital system’s notice of May 5 pretty much says it all — this was an attack that produced major disruption for the network of hospitals serving millions of people — including two hospitals serving children (Buzzi, M. Melloni).
DataBreaches understands that the hospital system still has not recovered fully almost two months since the attack. DataBreaches emailed the hospital system to ask for an update on their May 5 notice, but no reply was immediately available.
Yesterday, Vice Society claimed responsibility for the attack by adding the Macedonio Melloni Hospital to its leak site and dumping data from the system. Inspection of the data leak makes clear that claims in a (May 2) statement by Lombardi Region that there was no evidence that personal data had been stolen were premature at best, and ultimately, wrong.
DataBreaches will not be posting any screencaps of files in the data leak. Suffice to say that the leak contains a great deal of personal and sensitive information on patients.
But as bad as the breach of personal and sensitive information is, the disruption to the hospitals’ functioning has been the bigger issue. For almost two months, this hospital system has allegedly been impacted.
Over the past six years, DataBreaches has publicly and privately called on threat actors to swear off attacking hospitals. A few have. And in one case reported on this site, a threat actor decided not to pursue a supply chain attack that had already given him access to a number of hospitals. He sent DataBreaches information on how he compromised the vendor and who he then accessed so that DataBreaches could contact the hospital to alert them that their network had been accessed.
Vice Society appears to be a successful ransomware group. In some respects, they appear much more professional than groups that always seemed to generate drama or conflict. DataBreaches continues to hope that they will swear off attacking hospitals. And maybe they can find it in their hearts to help this hospital system recover fully?
When all is said and done, it’s not just business and it’s the vulnerable and powerless who are impacted the most.