Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Cyber-crime

Crooks get their hands on 500K+ radiology patients' records in cyber-attack

Two ransomware gangs bragged of massive theft of personal info and medical files

Jessica Lyons Thu 20 Jun 2024  //  21:43 UTC

Consulting Radiologists has notified almost 512,000 patients that digital intruders accessed their personal and medical information during a February cyberattack.

The 90-year-old Minnesota-based healthcare biz provides on-site radiology services for 22 hospitals and clinics, plus remote teleradiology for more than 100 facilities in upper Midwest America.

According to a privacy breach notification filed with the Maine Attorney General, the physician-owned operation spotted suspicious activity on its network on February 12, and shortly after "learned that an unauthorized actor accessed certain files and data stored within our network."

This included patients' names, addresses, dates of birth, Social Security numbers, and health insurance information and medical records, all belonging to 511,947 people.

"At this time, we have no evidence any of the information has been misused by a third party, but because information related to you was disclosed, we are notifying you out of full transparency," the radiology firm told patients in a notification letter [PDF]. 

As part of its incident response, the business hired a cybersecurity outfit to assist in its investigation, and deployed "additional monitoring tools" while it takes steps to "enhance the security of our systems." It's also offering affected individuals 12 months of free credit monitoring services.

Consulting Radiologists did not immediately respond to The Register's questions about the break-in, including how the data thieves gained access to its network, if they demanded a ransom payment, and what additional security measures have been added to better protect patients' files.

Two ransomware crews, LockBit and Qilin, both claimed in April to have stolen Consulting Radiologists' data. Russia-based Qilin claimed to have made off with more than 70GB, covering 94,667 files. This is the same gang behind the Synnovis ransomware attack, which continues to cause a healthcare crisis at London hospitals.

Synnovis is a partnership between pathology services company Synlab Group and two London NHS Trusts, and in an interview with The Register, the ransomware crew said it has no regrets targeting critical services organization.

A spokesperson for the criminals said that attack was politically motivated, and when asked if they figured a healthcare crisis in the capital city would ensue, said: "Yes, we knew that. That was our goal." ®

Speaking of ransomware maniacs

LockBit has returned with a vengeance following that crew's apparent takedown by an international government effort earlier this year.

According to NCC, the gang reemerged in May with a 665 percent increase in attack volume compared to April's 176 hits. Overall, global ransomware infections increased by 32 percent month-on-month (356 to 470) and eight percent (435 to 470) year-on-year, according to NCC Group.

Still, the report cautions against simply taking the criminals at their word when it comes to intrusions. "There is some speculation that LockBit has not actually managed to recover their operations fully but is instead reposting old victims in an attempt to put forth an image of imperturbability," according to the report [PDF].

And while the claimed surge in victims suggests the group didn't simply dissolve, a la Hive following that gang's takedown, Matt Hull, global head of threat intelligence at NCC Group, said it's too soon to tell.

It's possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist," Hull opined in a memo

"Alternatively, the group might be inflating their numbers to conceal the true state of their organization," he added.
Send us news
4 Comments

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting

Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

IOCONTROL targets IoT and OT devices from a ton of makers, apparently

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

ShinyHunters-linked heist thought to have been ongoing since March

Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'

Redmond threat intel maven talks explains this persistent pain to The Reg