Data Breach Notification,
Data Security,
Healthcare
Ransomware Group Rhysida Claims to Have Leaked 3.7TB of Data From Maryland Hospital System
MedStar Health, operating 10 hospitals and over 300 care locations in Maryland, Virginia, and Washington, D.C., is in the process of notifying an undisclosed number of patients regarding a significant data theft incident linked to their sensitive information. The ransomware group Rhysida has asserted on its darkweb leak site that it possesses 3.7 terabytes of MedStar’s data, which includes more than 7 million elements of personal patient data.
According to a breach notification released on MedStar’s official website, the organization began informing affected individuals by mail on December 3. The notification detailed that the cybersecurity incident first came to their attention on October 4, when unauthorized access to MedStar Health’s systems was detected, encompassing patient information.
MedStar Health described taking immediate action to safeguard its systems, initiating an investigation alongside third-party forensic experts and informing law enforcement agencies. Their investigation has indicated that the unauthorized access spanned from September 12 to September 16.
The compromised data includes critical patient information such as names, birth dates, Social Security numbers, and possibly sensitive health-related details, encompassing diagnoses, treatments, and insurance information. In response to the breach, MedStar is offering complimentary identity monitoring services to affected patients whose Social Security numbers or driver’s licenses might have been compromised.
Legal Implications
As the situation unfolds, MedStar is facing a consolidated proposed federal class-action lawsuit related to the cyber incident. An amended complaint filed on December 15 alleges that Rhysida publicly acknowledged its role in the breach on or around October 4, claiming responsibility for exfiltrating the 7 million pieces of patient data.
The lawsuit claims the gang posted a countdown timer indicating that the data would be available for purchase in exchange for 25 bitcoin. Ongoing allegations suggest that Rhysida continues to host MedStar’s data on its darkweb site, which allegedly includes SQL databases and extensive health-related records.
The lawsuit seeks financial restitution and injunctive relief to ensure enhanced security measures to protect the private information that remains within MedStar’s custody. It argues that the data breach has resulted in significant risks for plaintiffs and other class members, exposing them to identity theft, fraud, and other unauthorized uses of their private information.
It is noteworthy that this incident is not MedStar’s initial encounter with ransomware. A prior attack in March 2016 forced MedStar to shut down multiple systems for approximately a week to mitigate the spread of malware. Currently, MedStar ranks among at least 240 organizations purportedly victimized by Rhysida, many of which are also part of the healthcare sector.
Since emerging in 2023, the ransomware-as-a-service group Rhysida has prompted numerous alerts from U.S. federal agencies, warning various sectors, including healthcare, education, and government, of ongoing attacks attributed to this group. The tactics employed in the recent breach align with several undermined MITRE ATT&CK adversary techniques, particularly in areas related to initial access, execution, and exfiltration, emphasizing the threat landscape that businesses face today.
