- The Department of Health and Human Services is alerting healthcare providers about the resurgence of a ransomware group after an attack on an unnamed U.S. cancer center “significantly reduced” its treatment capability, shut down digital services and threatened to expose patient identifiers and personal health information.
- TimisoaraHackerTeam, or THT, is a “relatively unknown” group that has used legitimate products like Microsoft Bitlocker or Jetico’s BestCrypt to encrypt files on a computer system and demand ransom payments in Bitcoin, the cybersecurity notification said.
- THT was first discovered by researchers in 2018, and the group was loosely tied to an attack against a French hospital in April 2021. The HHS said the healthcare sector is particularly vulnerable because of hospitals’ higher likelihood to pay a ransom, the high value of patient records and often weak security.
Data breaches at healthcare organizations have been on the rise since 2010, and they’re increasingly caused by hacking incidents in which criminals demand payment in exchange for restored access to medical data.
The industry is a valuable target for hackers due to its wealth of data and weaker threat mitigation, according to a recent report from Moody’s Investors Service. The sector was also hurt by staff shortages and burnout during the COVID-19 pandemic.
The stakes are high, as cyberattacks against hospitals can compromise patient safety and access. A ransomware attack on CommonSpirit Health exposed protected health information of almost 624,000 late last year, preventing EHR access and delaying care.
Attacks can also have significant financial impacts, especially for smaller hospitals. St. Margaret’s Health in rural Illinois recently shut its doors, blaming the closure in part on a ransomware attack in 2021.
HHS said THT could be linked to other ransomware groups like DeepBlueMagic — which was tied to an attack on a medical center in Israel, which was followed by a rash of cyberattacks on the country’s health sector — the China-affiliated state-sponsored group APT41.
THT is named after a Romanian town and its ransomware seemed to be developed by Romanian speakers, according to the brief. But analysts couldn’t say if THT was actually operating in the country or using a false lead.