Clarke County Hospital in Iowa has confirmed that it has suffered a data breach, a month after the Royal ransomware gang claimed responsibility for the attack. Security researchers noticed the critical access hospital on the Royal ransomware data leak site on 24 April. About a week later, Royal operators had reposted the Clarke County Hospital listing and were actively leaking data that included an alleged video of a patient collapsing. CCH did not acknowledge that it had been attacked until 17 May when it issued a data breach notification that the attack “may have exposed” personal information of current and former patients.
The hospital claimed that it had “found no evidence” to suggest that the information had been misused, but warned that it was “possible” that the following personal information could have been acquired by an unauthorised third party: first name, last name, address, date of birth, health insurance information, medical record number, diagnostic information, and certain health information. Information that was not affected by the breach included electronic medical records, Social Security numbers, banking information, credit card information and financial information.
The hospital did not reveal whether the Royal ransomware claim was accurate or whether ransomware was involved at all, but it did disclose that the attack began on 14 April and forced CCH to shut off all network access. Despite issuing a notification about the breach, the hospital has still not commented on the reported data leak. Royal ransomware gangs typically list victim organisations on their sites as a way of exerting pressure on them to pay a ransom. When the victims pay the ransom, the groups remove the listings and leaked data from their sites.
As defence against ransomware continues to improve and payment amounts decline, ransomware groups are using increasingly aggressive extortion tactics. In April, Alphv ransomware operators leaked conference video footage which they claimed had been stolen from Western Digital. Also in April, operators claiming to be part of the AvosLocker ransomware group hacked Bluefield University’s emergency notification system, demanding payment directly from students and staff. This attack highlights the increasing risks faced by the healthcare sector from threat actors stealing and ransoming sensitive medical data. In February, ransomware operators threatened to leak medical information and patient images after breaching Lehigh Valley Health Network.