Ohio Health System Addresses Cyberattack and Fraud Schemes

Kettering Health is currently responding to a significant cyberattack that has disrupted patient care services and disabled multiple IT systems, including its patient portal and phone lines. Reports indicate that this incident may involve ransomware encryption and data theft, with cybersecurity experts suggesting that the emerging Interlock ransomware gang may be behind the attack.

On the day of the breach, Kettering experienced a system-wide technology failure that curtailed access to vital patient care systems. The organization stated that it has established protocols for such incidents and is committed to maintaining safe, high-quality care for patients within its facilities. However, elective inpatient and outpatient procedures have been canceled, while emergency rooms and clinics remain operational. The organization’s call center continues to face outages, further complicating communications.

In an update issued late on the following Wednesday, Kettering indicated that patient procedures are being evaluated individually, emphasizing that safety remains the highest priority. The health system clarified that there is no evidence to suggest the compromise of personal mobile applications such as MyChart. It also advised that it will not reach out to staff or patients via social media.

Kettering Health operates as part of the Seventh-day Adventist church and consists of over 14 medical centers and more than 120 outpatient facilities in western Ohio, boasting a workforce of over 1,800 physicians and 15,000 employees. Given the current situation, Kettering has alerted patients about ongoing scam phone calls from individuals impersonating medical bill collectors and requesting credit card information.

While Kettering has not confirmed a direct link between these scam calls and the IT outage, experts warn that cybercriminals often exploit such incidents. Mohammad Waqas, CTO of the security firm Armis, highlighted that attackers are opportunistic and take advantage of the heightened vulnerability surrounding such breaches. Even if these scammers are uninvolved in the direct cyberattack, they could leverage the unfolding circumstances to exploit patients’ expectations.

Reports from media outlets such as CNN and local Ohio news have further indicated that the Kettering attack features elements of ransomware encryption and data exfiltration. Cybercriminals have allegedly threatened to leak sensitive information within 72 hours unless their ransom demands are met. Despite this, a Kettering spokesperson has refrained from specifying details about the incident, including whether it involves ransomware.

Security experts, including Jeff Wichman from Semperis, have pointed towards the Interlock gang as the primary suspect. This group is known for its credential-based access methodology, typically achieved through phishing or exploiting unprotected remote desktop and VPN accounts. Their approach often includes deploying lateral movement tools to facilitate data exfiltration prior to encryption.

Wichman added that this attack appears consistent with historical patterns seen within the healthcare sector, characterized by legacy system vulnerabilities, flat network structures, and human error. All strategies that have resulted in patient care disruptions from cyberattacks on healthcare providers have put lives at risk. However, given that Kettering’s emergency services remain operational, albeit in a manual capacity, some level of care continuity has been preserved.

The Kettering Health cyberattack is part of a broader trend affecting the healthcare sector, which has become increasingly targeted by ransomware groups in recent years. The implications of such incidents underscore the critical need for businesses, particularly in the healthcare domain, to fortify their cybersecurity frameworks. The tactics and techniques used in this attack could align with several adversary strategies outlined in the MITRE ATT&CK framework, including initial access through credential theft, followed by execution of malicious code and data exfiltration, further highlighting the ongoing risks that require vigilant prevention and response measures.