Ransomware authors are once again targeting health services, holding important files to ransom and impacting potentially vital services. On this occasion, the victims are a non-profit organisation assisting people with their healthcare needs in California.
When Hive ransomware strikes
The victim, Partnership HealthPlan of California, has apparently been struggling since at least March 24 with this outbreak of Hive ransomware. Hive ransomware has been around since June 2021, and is a typical targeted ransomware-as-a-service (RaaS). It leverages threats to publish exfiltrated data to pressure victims to pay up. The ransomware group is known to work with affiliates that use various methods to compromise company networks.
Last August, the FBI published a paperdetailing indicators of Hive compromise, along with additional tactics and techniques used by the ransomware operators. It is not a threat to be taken lightly.
The impact of ransomware
The websitefor the embattled provider currently reads as follows:
Partnership HealthPlan of California recently became aware of anomalous activity on certain computer systems within its network. We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation. Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines. We appreciate your patience and understanding and apologize for any inconvenience.
They go on to list what to do if you’re a partnership member or provider, along with the warning not to send any PII via email. As noted on VentureBeat, setting up alternate methods of contact (in this case, Gmail addresses) is a smart move in case their regular email comms are also compromised.
A slice of data exfiltration to round things off
Any impact on medical services can be extremely serious. Anything from routine appointments and check-ups to delayed operations or medical assistance can be the end result. The affected organisation in this case serves upwards of 600,000 peoplein the California region.
Additionally, the ransomware operators claim to have stolen 400GB of files. This allegedly includes 850k PII records which includes names, addresses, and social security numbers. This is less than ideal, though investigations are still ongoing. The primary concern right now has to be that services are restored to full functionality. The human impact of healthcare attacks is significant, and the kind of additional worry that people using said services don’t need to be dealing with.
This story is still developing, and we'll add any important information to the blog as it comes to light. If you think you may be affected by this incident, you should contact the affected organisation using the contact details they've provided as soon as you can.