The healthcare sector has become a prime target for cyberattacks, as shown by recent high-profile incidents in both the United Kingdom and the United States. The Federal Bureau of Investigation (FBI) reported that in 2023, the healthcare sector was the most targeted critical infrastructure by ransomware, impacting at least 249 healthcare organizations across the U.S.
Hospitals in other countries, including France, Germany, Romania, and South Korea, have also been targeted by cyberattacks. The consequences of these attacks are severe, impacting patient safety, economic stability, and national security.
1. England: The Synnovis cyberattack
On June 3, 2024, Synnovis, a pathology service provider for the National Health Service (NHS) in England, was targeted in a ransomware attack. This incident forced major hospitals in London to declare emergency status and the situation is still critical. Emergency patients have been diverted, and hospitals have canceled cancer operations due to the inability to guarantee blood transfusions. Blood tests and transfusions are currently facing delays, and the NHS has made an urgent call for O-type blood donations. Additionally, non-emergency operations were canceled, and hospital staff have reverted to using pen and paper.
As of June 6, the NHS reported that the full impact of the attack remains uncertain. Ciaran Martin, the former chief executive of the United Kingdom’s National Cyber Security Centre, suggested that the Russian ransomware gang Qilin is likely responsible. Cybersecurity experts note that Qilin often gains initial access to networks through spearphishing emails containing malicious links. The gang has a history of targeting medical organizations and other critical infrastructure.
2. The United States: The Ascension cyberattack
On May 8, 2024, Ascension, a major American healthcare provider, was hit by a ransomware attack likely orchestrated by the Russian-speaking group Black Basta. With 140 hospitals across 19 states, the attack forced hospitals to divert emergency services and pause non-emergency procedures. Ascension is still working to restore access to medical records and aims for full system recovery by June 14.
According to the United States Cybersecurity and Infrastructure Security Agency (CISA), Black Basta has previously attacked over 500 entities across various sectors. Cybersecurity experts note that Black Basta carefully selects their victims and employs several methods to gain initial access to target networks. These methods include: 1) Sending spearphishing emails to specific individuals to deceive them into revealing their credentials or opening malicious attachments, 2) Recruiting insiders within target organizations, and 3) Purchasing network access.
3. The United States: The Change Healthcare cyberattack
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, experienced one of the most severe healthcare cyberattacks in American history. As a leading healthcare company, Change Healthcare processes 50% of all medical claims in the United States and offers prescription services through Optum, a technology provider to over 67,000 pharmacies, serving more than 129 million American citizens. The attack crippled financial operations for hospitals, insurers, pharmacies, and medical groups nationwide.
In May 2024, UnitedHealth Group’s CEO, Andrew Witty, testified before the United States Congress regarding the cyberattack on Change Healthcare. Mr. Witty explained that the attackers initially gained access using stolen credentials. They then exploited these legitimate credentials to access a server that did not have Multi-Factor Authentication (MFA) enabled.
ALPHV/BlackCat, a Russian-speaking ransomware group, claimed responsibility for the attack. In April 2022, the FBI issued an advisory stating that developers and money launderers associated with ALPHV/BlackCat had links to DarkSide, the ransomware group believed to be behind the Colonial Pipeline attack in 2021, which caused significant shortages of gasoline, diesel fuel, and jet fuel in the United States.
4. Romania
In February 2024, more than 100 healthcare facilities in Romania fell victim to a ransomware attack. National Cyber Security Directorate (DNSC) reported that 25 hospitals experienced data encryption, while 79 other medical facilities were forced offline due to the attacks. The hackers initially targeted the Hipocrate Information System, a healthcare app, using a variant of the Phobos ransomware strain developed by Russian-speaking hackers. This infection subsequently spread rapidly among healthcare organizations throughout Romania.
5. France and Germany
In April 2024, a hospital in France fell victim to a ransomware attack orchestrated by the LockBit Ransomware Group. As a result, some patients were diverted, non-urgent surgical procedures were canceled, and hospital staff resorted to using pen and paper to provide care for patients. Similarly, in December 2023, hospitals in Germany were targeted by the LockBit Ransomware Group, leading to disruptions in emergency services at multiple hospitals. People requiring urgent medical attention were redirected to other facilities.
In May 2024, the U.S. Justice Department filed charges against a Russian national for allegedly developing and operating LockBit Ransomware.
6. South Korea
In May 2023, our team at The Readable reported on the data breach at Seoul National University Hospital (SNUH), one of South Korea’s largest medical facilities. The Korean National Police Agency (KNPA) attributed the attack to North Korean hackers. Additionally, in September 2023, our team disclosed that between February 2020 and July 2023, 74 healthcare facilities throughout South Korea had been targeted in cyberattacks, with 68 of these cases identified as ransomware attacks.
Conclusion: The need for greater domestic and international collaboration
On June 7th, the British Broadcasting Corporation (BBC) held its inaugural UK Election Debate. The absence of cybersecurity discourse underscored the necessity for collaboration extending beyond experts and law enforcement, reaching all levels of leadership. Recognizing the urgency of cybersecurity is paramount to fortifying our defenses against cyber threats. Prioritizing collaborative efforts, both domestically and internationally, is essential. Only through coordinated action across all levels of leadership can we effectively safeguard critical infrastructure from cyberattacks and ensure the well-being of our citizens.