Lockbit ransomware gang hit the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York

LockBit ransomware group breached two hospitals, the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York.

The Lockbit ransomware group claims to have hacked two major hospitals, the Carthage Area Hospital and Claxton-Hepburn Medical Center. The two hospitals serve hundreds of thousands of people in upstate New York.

The cyberattack took place at the end of August and had a severe impact on the two hospitals in the last couple of weeks. The phone systems were restored on September 2, however the cyberattacks impacted several other services. As a precaution, the emergency rooms at Carthage and Claxton have been put on diversion, the patients were hijacked to other area hospitals and most of the appointments were rescheduled.

“All patients with appointments that need to be rescheduled will be contacted. Any patient with urgent health concerns should still call their healthcare provider. Patients with emergency conditions should go to their nearest emergency department,” states the administration oat the hospital.

The two hospitals are still struggling to recover from cyberattacks.

The FBI launched an investigation into the incident along with the New York State Department of Health and the Division of Homeland Security and Emergency Services.

The situation is still critical at the Claxton-Hepburn Medical Center, this week it announced that it would continue canceling outpatient appointments through this week at health centers and physician offices, The Record Media reported.

This week the LockBit ransomware gang added the hospitals to its Tor leak site. The group claims to publish the alleged stolen data by September 19, 2023, if the victims don’t pay the ransom.

At this time the group has yet to publish any samples of the alleged stolen data as a proof of the hack.

This isn’t the first time the Lockbit gang or its affiliates hit a hospital. In January, the LockBit ransomware gang formally apologized for the attack on the Hospital for Sick Children (SickKids) and released a free decryptor for the Hospital.

The group is known to have a role for its affiliated that prohibits attacking healthcare organizations. Its policy forbids to encrypt systems of organizations where damage could lead to the death of individuals.

The gang explained that one of its partners attacked SickKids violating its rules, for this reason it block the affiliate.

Affiliates of the Lockbit gang have also hit other healthcare organizations in the past, in early December 2022, the Hospital Centre of Versailles was hit by a cyber attack that was attributed to the group. Hospital Centre of Versailles, which includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, canceled operations and transferred some patients due to the cyberattack.

In August, the gang attacked the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures. According to local media, threat actors demand a $10 million ransom to provide the decryption key to restore encrypted data.

Other ransomware attacks recently hit US hospitals. Recently the Rhysida ransomware group made the headlines because it announced the hack of Prospect Medical Holdings and the theft of sensitive information from the organization.

The Rhysida ransomware group threatened Prospect Medical Holdings to leak the stolen data if the company did not pay a 50 Bitcoins ransom (worth $1.3 million). The same group this week claimed to have breached other three US hospitals.

The systems at three hospitals and other medical facilities operated by Singing River Health System were hit by a cyber attack at the end of August.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)