In what appears to be an attack by the Hive ransomware gang, computers at the nonprofit Memorial Health System were encrypted, forcing staff to work with paper cards.
The attack occurred early Sunday morning and IT detected it once it noticed parts of the infrastructure were no longer responding as expected.
Memorial Health System is a small network of three hospitals (Marietta Memorial Hospital, Selby General Hospital, and Sistersville General Hospital) in Ohio and West Virginia, outpatient service sites, and provider clinics.
An integrated, not-for-profit health system, the organization has more than 3,000 employees and is governed by a volunteer board of directors made up of community members.
Canceled surgical cases
The attack caused disruption in clinical and financial operations, leading to the cancellation of urgent cases of surgery and X-ray exams on Monday.
On Sunday, after learning more about the attack, the organization released a Press release to notify the community of the incident.
Memorial Health System President and CEO Scott Cantley said at the time that patient or employee data had not been compromised and the investigation was underway, to get a full picture of what happened.
Patient data is likely stolen
Usually, ransomware attacks come with a data breach. Before deploying the encryption routine, hackers typically spend time on the network determining the most valuable systems and stealing data.
By exfiltrating information, attackers have more leverage to force the victim to pay the ransom in exchange for the promise not to share or disclose the stolen data and to provide a decryption tool.
This case does not seem different. BleepingComputer saw evidence that the attackers stole databases containing information belonging to 200,000 patients, which included sensitive details, such as social security numbers, names and dates of birth.
The author is said to be the Hive ransomware gang, which appeared at the end of June, discovered by dnwls0719. Despite the short duration of activity, the group has already claimed several lives.
Like most ransomware gangs, Hive has a leak site called HiveLeaks hosted on the dark web, where they posted links to data stolen from nearly two dozen victims who did not pay the ransom.
Most of the businesses listed on the leak site appear to be small to medium in size, many with around 100 or fewer employees.
The biggest of the unpaid victims is Altus Group, a software and data solutions provider for the commercial real estate industry. According to the attacker, the company has 2,500 employees and a turnover of 500 million dollars.