A Dallas-based Catholic, not-for-profit medical system has experienced a ransomware attack that it says did not affect any private patient health information.
Katy Kiser, director of external communications and social media at Christus Health, confirmed the unauthorized activity on the system’s network.
“Christus Health recently learned of unauthorized activity on its computer network,” Kiser said in a statement. “This was quickly identified and blocked by Christus Information Security. At this time, it appears that the incident is limited and didn’t impact any of Christus Health’s patient care or clinical operations. We are working with industry experts to investigate and address the issue. Christus values and is committed to the privacy and security of all those we are privileged to serve.”
AvosLocker, a new ransomware group, has claimed credit for the attack on the Catholic medical system, according to CyberScoop. It is the second health care system targeted by ransomware in the last two months. Michigan-based McKenzie Health System recently began notifying patients about an attack that included a breach of patient information.
Cybersecurity Ventures found that ransomware attacks add up to nearly $20 billion a year. Heath Renfrow, co-founder of FENIX24, a disaster recovery service in Chattanooga, Tenn., said hundreds of ransomware events happen daily. Many cases involve health care, he said, because of the rotating nature of hospitals and patients.
Threat actors are “betting on the fact that the health care provider will end up actually paying the ransom and be able to sit there and get their systems decrypted and get them back operational so they can continue doing business and serving their patients,” Renfrow said. “So really to the (threat actors), it’s a quick win.”
Groups that target hospital systems often leave them in serious debt, he said.
Renfrow said it is likely AvosLocker is affiliated with Russia, since the group has made a pledge to not attack any company in Russia, according to its dark web page.
Hospitals are legally required to notify any patients who are affected, Renfrow said.
“There’s a good chance that if health care providers have been hit by ransomware attacks, their data is going to be exposed,” Renfrow said.
Note: This story was revised Tuesday to clarify that Cybersecurity Ventures did the reseach that found that $20 billion in ransomware attacks happen each year.