Two Healthcare Orgs Hit by Ransomware Confirm Data Breaches Impacting Over 100,000 Summary:
Summary:
Two significant data breaches have recently been confirmed within the healthcare sector, each impacting over 100,000 individuals after being targeted by ransomware attacks. Bell Ambulance, a Milwaukee-based ambulance service, detected a network intrusion on February 13, 2025, which compromised sensitive data, including names, dates of birth, Social Security numbers, driver's license information, financial details, medical records, and health insurance information for 114,000 individuals. The Medusa ransomware group claimed responsibility for this attack, alleging the theft of over 200 GB of data. Separately, Alabama Ophthalmology Associates, an ophthalmology practice in Birmingham, Alabama, disclosed a breach on April 10, revealing that threat actors had access to their systems since January 22 and compromised the personal and protected health information of over 131,000 current and former patients. The compromised data includes similar categories of sensitive information. The BianLian ransomware group claimed responsibility for this attack on February 19. These incidents contribute to the concerning trend of healthcare data breaches in the US, with over 700 breaches reported last year, affecting more than 180 million total records.
Security Officer Comments:
The concurrent disclosure of two substantial ransomware attacks against healthcare organizations, impacting a combined total of over 245,000 individuals, underscores the persistent and escalating threat that ransomware actors pose to this critical sector. The nature of the compromised data in both incidents – including highly sensitive personal, financial, and medical information – elevates the potential for significant harm to the affected individuals, ranging from identity theft and financial fraud to the compromise of their private health details, as previously observed following the BlackCat cyberattack against Change Healthcare in early 2024. The fact that both attacks were attributed to well-known ransomware groups, Medusa and BianLian, highlights the organized and sophisticated nature of these operations. Furthermore, the timeline of these incidents, occurring within a relatively short period and adding to the already alarming statistics of healthcare data breaches in the past year, should serve as a helpful reminder for all healthcare providers to prioritize and continually enhance their cybersecurity defenses.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.securityweek.com/two-healthcare-orgs-hit-by-ransomware-confirm-data-breaches-impacting-over-100000/
Two significant data breaches have recently been confirmed within the healthcare sector, each impacting over 100,000 individuals after being targeted by ransomware attacks. Bell Ambulance, a Milwaukee-based ambulance service, detected a network intrusion on February 13, 2025, which compromised sensitive data, including names, dates of birth, Social Security numbers, driver's license information, financial details, medical records, and health insurance information for 114,000 individuals. The Medusa ransomware group claimed responsibility for this attack, alleging the theft of over 200 GB of data. Separately, Alabama Ophthalmology Associates, an ophthalmology practice in Birmingham, Alabama, disclosed a breach on April 10, revealing that threat actors had access to their systems since January 22 and compromised the personal and protected health information of over 131,000 current and former patients. The compromised data includes similar categories of sensitive information. The BianLian ransomware group claimed responsibility for this attack on February 19. These incidents contribute to the concerning trend of healthcare data breaches in the US, with over 700 breaches reported last year, affecting more than 180 million total records.
Security Officer Comments:
The concurrent disclosure of two substantial ransomware attacks against healthcare organizations, impacting a combined total of over 245,000 individuals, underscores the persistent and escalating threat that ransomware actors pose to this critical sector. The nature of the compromised data in both incidents – including highly sensitive personal, financial, and medical information – elevates the potential for significant harm to the affected individuals, ranging from identity theft and financial fraud to the compromise of their private health details, as previously observed following the BlackCat cyberattack against Change Healthcare in early 2024. The fact that both attacks were attributed to well-known ransomware groups, Medusa and BianLian, highlights the organized and sophisticated nature of these operations. Furthermore, the timeline of these incidents, occurring within a relatively short period and adding to the already alarming statistics of healthcare data breaches in the past year, should serve as a helpful reminder for all healthcare providers to prioritize and continually enhance their cybersecurity defenses.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.securityweek.com/two-healthcare-orgs-hit-by-ransomware-confirm-data-breaches-impacting-over-100000/