Fraud Management & Cybercrime , Healthcare , HIPAA/HITECH
RansomHub Claims Theft of Montana Planned Parenthood Data
Experts Say Orgs That Handle Highly Sensitive Health Info Are Targets of AttacksPlanned Parenthood of Montana, which provides patients with reproductive healthcare services including birth control and abortion, is responding to a hack and a threat by cybercriminal group RansomHub to leak 93 gigabytes of data allegedly stolen from the organization.
See Also: How Overreliance on EDR is Failing Healthcare Providers
The hack is one of the latest incidents spotlighting threats posed to organizations that handle highly sensitive information such as reproductive health, in light of state bans and new restrictions on abortions since the Supreme Court overturned Roe v. Wade in 2022.
Planned Parenthood of Montana in a statement to Information Security Media Group on Thursday confirmed that it identified a cybersecurity incident on its IT systems on Aug. 28. The national Planned Parenthood organization operates 600 centers across the U.S.
"We immediately implemented our incident response protocols, including taking portions of our network offline as a proactive security measure," said Martha Fuller, president and CEO of Planned Parenthood of Montana.
"We are grateful to our IT staff and cybersecurity partners, who are working around the clock to securely restore impacted systems as quickly as possible, and who are tirelessly investigating the cause and scope of the incident."
Fuller also said the organization is aware of RansomHub's post on the group's dark web site and has reported the incident to federal law enforcement. The investigation into the incident is ongoing, she said.
Montana is not the first Planned Parenthood center hit with a cyberattack. Planned Parenthood of Los Angeles in 2021 also experienced a ransomware and data exfiltration attack that affected sensitive health information, including diagnoses and medical procedures of about 400,000 individuals (see: Planned Parenthood Data Exfiltrated, 400,000 Notified).
Some experts said cybercriminals are most likely picking potential targets in healthcare more selectively because of the levels of sensitivity of the information they handle.
"Reproductive healthcare is a significant area of concern for a variety of reasons, including the extreme variations between state laws and certain types of procedures and reproductive healthcare," said regulatory attorney Rachel Rose.
"Cybercriminals have honed in on this area, just like they did with children's hospitals, because it gets attention, and the goal is to have people pay a ransom and/or to cripple a critical infrastructure sector, which is what happened in Change Healthcare," she said.
UnitedHealth Group - Change Healthcare's parent company - admits paying a $22 million ransom to attackers in its incident.
Privacy attorney Iliana Peters of the law firm Polsinelli said that based on what she sees, cybercriminals are intent on trying to shake down extortion bounties from any organization they think might pay, but they do not appear to be targeting entities in any specific segments of any sectors, including healthcare.
"In my experience, threat actors aren't particularly interested in any type of personally identifiable information or protected health information, except to the extent the information enables them to commit payment fraud or identity theft, or allows them to procure a ransom payment from the entity itself," she said.
Children's information also appears to be a target. In January, ransomware-as-a-service group Rhysida took credit for an attack on Ann & Robert H. Lurie Children's Hospital of Chicago, which took the pediatric medical center's IT systems offline for several weeks and compromised the data of 800,000 individuals.
Rhysida had demanded a $3.4 million ransom for data stolen in that attack, but the hospital said it did not pay (see: Children's Hospital Notifies 800,000 of Data Theft in Attack).
"While it is hard to know exactly what makes a threat actor target an organization, I believe it is reasonable to expect factors like impact or hot-button topics that can stir controversy may influence response behavior," said Rick Vanover, vice president of product strategy at security firm Veeam Software.
"The more private or sensitive the data, the more attractive it may be to the threat actor and dark web. However, cyberthreats don't discriminate," he said. "It's not necessarily the industry that's targeted; it's those organizations that are unprepared or not data resilient that suffer the worst damage from a cyberattack or ransomware incident."
RansomHub was the subject of a joint alert issued last week by the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center.
Authorities say that since its February inception, RansomHub has encrypted and exfiltrated data from at least 210 victims across several sectors, including healthcare and public health, financial services and government.
RansomHub has claimed to be at the center of several recent high-profile health sector hacks. It said it had custody of 4 terabytes of data stolen by an affiliate of another gang - BlackCat - in the February Change Healthcare attack. The group has also taken credit for recent data theft attacks on the Rite Aid pharmacy chain and the Florida Department of Health.
In their joint alert last week, U.S. government authorities said the RansomHub affiliates leverage double-extortion - including encrypting IT systems and exfiltrating data to extort victims.
"It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions," the alert says.
"Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL - reachable through the Tor browser. The ransom note typically gives victims between three and 90 days to pay the ransom - depending on the affiliate - before the ransomware group publishes their data on the RansomHub Tor data leak site."
The gang's website says, "We do not allow nonprofit hospitals and some non-profit organizations be targeted."
Vanover said his top recommendations to keep data resilient in case of potential attacks are not different for healthcare or other sensitive information but work well across the board. "I have been advising the 3-2-1 rule for several years with a modern twist and an optional step further: Three copies of data, two different media and one of them being off-site is a great start," he said.
"But 3-2-1-1-0 goes one step further and has at least one copy that's immutable so there are no surprises with malware detection and recovery verification," he said. "I also advise organizations to consider having two different immutable copies; this will provide the highest levels of resiliency today to protect this critical data."