Rhysida Claims Responsibility for Ransomware Attack on Prospect Medical and Threatens Data Sale

The Rhysida ransomware group has asserted its involvement in a significant cyberattack on Prospect Medical Holdings, purporting to have acquired 500,000 social security numbers, confidential corporate materials, and patient records.

The attack, believed to have transpired on August 3rd, led to the emergence of ransom notes on employee screens, disclosing that their network had been compromised and devices subjected to encryption.

Prospect Medical Holdings (PMH), a US healthcare entity managing 16 hospitals across California, Connecticut, Pennsylvania, and Rhode Island, in addition to an expansive network comprising 166 outpatient clinics and centers, was forced to suspend its IT networks to halt the attack’s progression, prompting a return to manual charting procedures.

Although PMH refrained from responding to inquiries concerning the security breach, subsequent investigations by BleepingComputer confirmed the Rhysida ransomware group’s culpability.

At present, PMH hospital networks, including CharterCare, have reported the successful restoration of system functionality. However, efforts to reinstate patient records remain ongoing.

A CharterCare.org notification states, “Work is ongoing to digitize the paper patient records used by our caregivers while our systems were offline, integrating them into our electronic medical record (EMR) system.”

Conspicuously, no communication has been extended to employees to inform them whether their data was compromised during the attack.

Emerging in May 2023, the Rhysida ransomware operation rapidly gained notoriety, notably targeting the Chilean Army (Ejército de Chile) and subsequently exposing sensitive data.

In a prior instance this month, the US Department of Health and Human Services (HHS) issued a warning attributing recent healthcare organization attacks to the Rhysida group.

In the latest development, the Rhysida ransomware faction has claimed responsibility for the Prospect Medical Holdings breach, brandishing a threat to trade the company’s purportedly pilfered data for 50 Bitcoins, equivalent to $1.3 million.

The malevolent actors assert that they seized an extensive trove of documents amounting to 1 terabyte and a 1.3 terabyte SQL database, encompassing 500,000 social security numbers, passports, driver’s licenses, corporate materials, and patient medical details.

A statement from the Rhysida data leak platform reads, “They kindly provided: more than 500,000 SSNs, client and employee passports, driver’s licenses, patient dossiers including profiles and medical histories, as well as financial and legal documentation!!!”

The ransomware group’s data leak platform additionally disseminated multiple screenshots showcasing driver’s licenses, social security cards, various documents, and purported patient medical information.

Several screenshots revealed leaked documents bearing the letterhead of Eastern Connecticut Health Network, one of PMH’s affiliated hospital networks.