Tampa General Hospital half thwarts ransomware attack, but still loses patient data
The Tampa General Hospital (TGH) has promised to reach out to individuals whose information has been stolen by a ransomware group.
In a cybersecurity notice, TGH said it noticed unusual activity on its computer systems on May 31, 2023.
âFortunately, TGHâs monitoring systems and experienced technology professionals effectively prevented encryption, which would have significantly interrupted the hospitalâs ability to provide care for patients.â
While that is good news from a healthcare perspective, the ransomware operators did obtain something of value. An investigation learned that an unauthorized third party accessed TGHâs network and obtained files from its systems between May 12 and May 30, 2023.
Further investigation showed that some patient information was included. The information varied from person to person, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers (SSNs), health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations.
According to TGH, the criminals did not access the hospitalâs electronic medical record system.
TGH says it is mailing letters to individuals whose information may have been compromised, and will provide complimentary credit monitoring and identity theft protection services to those whose Social Security numbers were accessed.
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendorâs advice. Every breach is different, so check with the vendor to find out whatâs happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you donât use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device canât be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Snatch ransomware
On July 18, 2023, Snatch ransomware group claimed responsibility for the data theft on its leak site.
At ThreatDown, weâve been tracking the Snatch group since 2019. The group is suspected to operate from Russia. Back in 2019, the group stood out because it deployed a somewhat new technique for ransomware which forced the affected machine to reboot into safe mode without networking. Safe mode starts Windows in a basic state, using a limited set of files and drivers. Itâs intended for troubleshooting, but since many monitoring tools will not work in safe mode, it allowed for an undisturbed and quicker encryption process. By choosing the âwithout networkingâ mode, administrators lose view of the system. The Snatch ransomware added itself as a service which ran in safe mode. Interestingly, for some reason the group no longer uses that method.
Their most common attack vectors include brute-force attacks against vulnerable, exposed services such as RDP, VNC (Virtual Network Computing), and TeamViewer. Programmed in Go, the ransomware component is separate from the data stealer. We have not seen the multi-platform capabilities of Go put to use, and only Windows machines are affected.
ThreatDown detects the Snatch ransomware as Ransom.Snatch.