Rhysida Ransomware group claims to have breached Bayhealth Hospital in Delaware

Pierluigi Paganini August 08, 2024

The Rhysida Ransomware group claims to have breached Bayhealth Hospital in Delaware and offers alleged stolen data for 25 BTC.

Bayhealth Hospital is a technologically advanced not-for-profit healthcare system with nearly 4,000 employees and a medical staff of more than 450 physicians and 200 advanced practice clinicians.

Bayhealth Medical Center, serving central and southern Delaware, operates two hospitals: Bayhealth Hospital, Kent Campus in Dover and Bayhealth Hospital, Sussex Campus in Milford, along with the Bayhealth Emergency Center in Smyrna. The center has 316 beds and offers inpatient services including birthing, cardiovascular, and cancer care. It also provides various outpatient services, support services, community outreach, and imaging. Both the Kent and Sussex campuses feature 24-hour emergency departments with Level III trauma centers, and the Smyrna center also has a 24-hour emergency department.

The Rhysida Ransomware group claims to have breached Bayhealth Hospital and added the hospital to the list of victims on its Tor leak site.

The group claims to have stolen data from the hospital and is demanding 25 BTC to avoid its leak. The group leaked screenshots of stolen passports and ID cards as proof if the hack.

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!” announced the gang.

It isn’t the first time that the Rhysida Ransomware group targeted a hospital. In December 2023, the group claimed to have hacked Abdali Hospital, a multi-specialty hospital located in Jordan.

At the end of November, the ransomware group claimed to have hacked King Edward VII’s Hospital in London. The group also claimed the hack of the British Library and China Energy Engineering Corporation.

The Rhysida ransomware group has been active since May 2023. According to the gang’s Tor leak site, at least 62 companies are victims of the operation.

The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”

In December 2023, FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks. The advisory is part of the ongoing #StopRansomware effort, disseminating information about tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups.

The report includes IOCs and TTPs identified through investigations as recently as September 2023.

Healthcare infrastructure in the US continues to be under attack, in February the Lurie Children’s Hospital in Chicago took IT systems offline after a cyberattack. The security incident severely impacted normal operations also causing the delay of medical care.

Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.

In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.

The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.

In November 2023, the Lorenz extortion group leaked the data stolen from the Texas-based Cogdell Memorial Hospital.

Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bayhealth Hospital)



you might also like

leave a comment