A biomedical research lab in Australia. The Chilean Army. Now Prospect Medical Holdings, including the three hospitals and outpatient facilities it owns in Connecticut.
A gang of cybercriminals known as Rhysida, which targets the education, government, manufacturing and technology sectors, recently made its foray into health care with a ransomware attack on California-based Prospect Medical Holdings.
Prospect’s three hospitals in Connecticut — Waterbury Hospital, Manchester Memorial Hospital and Rockville General Hospital — are still dealing with the crippling effects of the attack, which was first reported Aug. 3.
The attack shut down Prospect’s computer systems, causing some patients to be diverted to other facilities and services to be suspended. The company is still working to resolve the outage, and some services remain unavailable.
A spokeswoman for the company said it is working with law enforcement and has hired a third-party cybersecurity firm to investigate.
“While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible,” the statement said.
According to the Health Information Sharing and Analysis Center, the attack was perpetrated by Rhysida. The group deploys ransomware via phishing attacks to breach a target’s network, and then encrypts their files. Rhysida then threatens to sell the data at auction unless the victim pays a ransom.
The ransomware leaves PDFs on affected systems, instructing victims to contact the group using a “victim support portal” and pay a ransom via Bitcoin, according to a bulletin from the U.S. Department of Health and Human Services (HHS).
“The threat isn’t ‘just’ locked computers, or patients unable to be assisted. There’s the very real possibility of said patients having their medical or other personal data thrown online for all to see,” according to a Malwarebyes blog post about Rhysida.
The group was formed in May. In its first three months of existence, Rhysida has emerged as a prolific cyberattacker, striking victims across Western Europe, North and South America and Australia, according to HHS.
Rhysida tends to avoid targeting former Soviet Republic or bloc countries in Eastern Europe and Central Asia’s Commonwealth of Independent States, the HHS alert says.
One of the group’s first first attacks, on May 29, drew attention as it targeted the Chilean Army’s internal network. Rhysida then leaked data belonging to the army on June 15.
The group also hit Haemokinesis LTD, a research laboratory in Australia.
The recent attack affected all 16 of Prospect’s hospitals and more than 100 outpatient centers, which are located in Pennsylvania, Rhode Island and California, as well as Connecticut.
Patients seeking information can call 860-646-1222.
