Aug 24, 2023 - Technology

Ransomware gang claims it stole Social Security numbers, passport data in recent hospital attack

Illustration of question mark on folder pattern.

Illustration: Lindsey Bailey/Axios

The Rhysida ransomware gang claimed responsibility Thursday for a recent cyberattack on Prospect Medical Holdings, according to a dark web listing reviewed by Axios.

Why it matters: The new ransomware gang alleges it stole more than 500,000 Social Security numbers and photocopies of employees' driver's licenses and passports, along with other legal and financial documents.

  • Axios was able to confirm that at least some of the stolen data is legitimate using public records.

Driving the news: Prospect Medical Holdings, which operates 16 hospitals across four U.S. states, has been struggling to get back online after a suspected ransomware attack earlier this month.

  • Some elective surgeries, outpatient appointments, blood drives and other services were still being postponed last week, according to the Associated Press.
  • Prospect has said little publicly about what kind of cyberattack it's facing, what data was stolen or who may be behind the attack as it conducts an internal investigation.

What they're saying: A Prospect spokesperson said the company could not comment on the alleged data leak in a statement to Axios, citing "the sensitivity of the incident and law enforcement involvement."

  • "Prospect Medical continues to work around-the-clock to recover critical systems and restore their integrity," the spokesperson said in the statement. "We are making significant progress. Some operational systems have been fully restored and we are in the process of bringing others online."

The big picture: Hospitals and healthcare organizations have become a go-to target for ransomware gangs since they often run on outdated IT systems, while also collecting patients' most sensitive information.

  • Ransomware attacks on healthcare organizations have doubled in the last five years, according to a JAMA Health Forum study released earlier this year.

Details: Rhysida listed Prospect as one of its victims on its dark web site on Thursday, claiming that it had stolen 1 terabyte worth of "unique" files and a 1.3-terabyte-sized SQL database.

  • Ransomware gangs will often post the names of their victims on their sites to make the targets look bad and apply pressure in ongoing ransom payment negotiations.
  • Typically, companies that have paid ransom are spared the public data exposure.
  • In the listing, Rhysida says it will auction off "more than 500,000 SNNs, passports of their clients and employees, driver's licenses, patient files (profile, medical history), financial and legal documents!!!"
  • The auction ends in nine days, and Rhysida is asking for 50 Bitcoin, per the listing.

Yes, but: Ransomware hackers often exaggerate or misrepresent the amount and significance of the data they stole.

  • Axios was only able to review screenshots that the group shared of the stolen information, not the actual files.

Between the lines: Rhysida was first spotted targeting organizations in May, but government officials and cybersecurity researchers have already seen the group go after a growing number of critical infrastructure organizations in recent months.

  • The Department of Health and Human Services warned earlier this month that it's seen the group go after several organizations in the health and public health sector.
  • The advisory also pointed out that most of Rhysida's victims are in the education and manufacturing sectors.

Be smart: HHS recommends that organizations patch known security flaws in their systems, create data back-ups to rely on if they're taken offline and require phishing awareness trainings for employees.

Editor's note: This story has been updated with comment from Prospect.

Go deeper