American healthcare conglomerate Prospect Medical Holdings suffered system-wide cyberattacks last week throughout multiple states. The incident disrupted ambulances and forced hospitals to suspend emergency care, with a leading medical association deeming the attacks “threat-to-life” crimes. Cybersixgill has detected credentials for affected entities advertised on a popular underground marketplace frequented by cybercriminals.
On August 3, 2023, California-based healthcare provider Prospect Medical Holdings1 (PMH) faced devastating cyber attacks that shut down computer systems, disrupting primary care services at facilities in Connecticut, California, Pennsylvania, and Rhode Island. Among the services affected by the attack were emergency room care, ambulance dispatch, elective surgeries, outpatient appointments, and blood collection.
The U.S. Federal Bureau of Investigations (FBI) confirmed that the incident was a ransomware attack but provided no further details regarding the perpetrators or the attack chain. PMH’s Crozer Health facility in Pennsylvania also confirmed to local press that the incident was a ransomware attack. As of August 7, 2023, no threat actors publicly took credit for the attacks, nor did Cybersixgill detect any stolen data related to the named victim entities on ransomware groups’ dedicated leak sites2 (DLS). Cybersixgill collected intelligence items related to affected entities, which are discussed in the section that follows.
The affected facilities diverted patients or stopped admitting new cases, which resulted in the American Hospital Association’s (AHA) national advisor for cybersecurity and risk deeming the attacks “threat-to-life crimes.” According to the AHA, the attacks jeopardized both the health of patients within hospitals and the safety of the wider community, which depends on emergency department care. In addition to the AHA, the White House and the U.S. the Department of Health and Human Service also monitored the attack, according to a National Security Council spokesperson.
The affected organizations that were publicly identified included facilities in Connecticut (Eastern Connecticut Health Network, Waterbury Hospital, Manchester Memorial, and Rockville General Hospital), Pennsylvania (Crozer-Chester Medical Center, Taylor Hospital, Delaware County Memorial Hospital, and Springfield Hospital), and California (Southern California Hospital Hollywood and Good Samaritan Regional Medical Center). To mitigate the effects of the cyber attacks, the victims reverted to manual equipment monitoring and paper record keeping.
Healthcare organizations rely on the Internet and network-connected systems to store records and provide preventative care information, which means their attack surface is large. Indeed, entities in the healthcare industry remain primary targets for threat actors, with IBM estimating that data breaches on entities in this sector cost on average $11 million each year. Threat actors attack healthcare providers because they process massive amounts of sensitive patient data, financial information, and other items, some of which includes protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA)3. Cyber criminals use this information for fraud, identity theft, and other malicious activities.
In July 2023, for example, it was revealed that a ransomware group stole confidential data from Tampa General Hospital4 (TGH) related to 1.2 million patients, which could be used in phishing attacks, social engineering campaigns, and various scams. While neither TGH nor the local media identified the culprit, Cybersixgill collected a post on the attacker’s DLS related to the TGH breach.
While investigating the attacks on PMH entities, Cybersixgill observed credentials-for-sale related to organizations affected by the attacks. Based on the domain associated with these credentials, they appear connected to an RDS Gateway asset, a component of Microsoft Remote Desktop Services (RDS). Such portals serve as internet gateways for remote users to access an organization’s resources, such as virtual desktops or remote applications. RDS Gateway encapsulates Remote Desktop Protocol (RDP) traffic within HTTPS to provide a secure connection, allowing users to connect to internal resources without a VPN (virtual private network), controlling access and providing encryption for remote connections.
With RDS Gateway login credentials, cybercriminals can infiltrate remote desktop environments. Once they gain unauthorized access, they can steal sensitive data, including personal information, financial data, and intellectual property, or trade secrets. This data can be used for extortion or resold to other threat actors. Cybercriminals can also use RDS Gateway access to deploy malware, including ransomware. In addition, this type of access can also be used for privilege escalation and lateral movement, which allow threat actors to remain undetected on systems for prolonged periods of time, to modify configurations, create new users, or carry out other malicious activities.
As these consequences illustrate, protecting RDS Gateway login credentials is critical to prevent unauthorized access and cyber attacks. It should be noted that the credentials detected by Cybersixgill cannot be definitively linked to the recently reported PMH attacks.
In addition to the RDS Gateway credentials, Cybersixgill also observed on the underground other potentially internal credentials that belong to victims of the PMH attacks. While most of the portals with exposed credentials were offline as of August 7, 2023, it is possible that they were leveraged by malicious actors at some point prior to news breaking of the recent attack. One of the exposed portals remained accessible as of August 7, 2023, which appeared to provide access to a project management platform that may contain confidential information and personal data, which threat actors leverage in phishing campaigns, extortion schemes, and other forms of fraud.
The recent attack on PMH-related entities demonstrates the ultimate danger of cyber attacks on healthcare industry victims. While patient records serve as valuable datasets for cybercriminals perpetrating fraud, attacks such as this one has very serious immediate consequences, with shutting down emergency rooms and diverting ambulances.
In light of the dangers associated with such attacks, all organizations should implement the following security measures and practices to avoid being the target of a data breach:
Enable multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
Create data copies and backups on external servers that are isolated from the business network.
Build a dedicated incident response team to work closely with staff and quickly mitigate emerging risks.
Limit health record access to specialists who require it to perform their jobs.
Evaluate the risks of all third-party vendors, contractors and partners that manage data by monitoring assets on the Cybersixgill Investigative Portal for a more proactive detection approach.
1 Prospect Medical Holdings (PMH) is a California-based corporation that operates clinics, hospitals, and other facilities in Texas, Connecticut, Rhode Island and Pennsylvania. In California, PMH operates a 130-bed acute care hospital and two behavioral health clinics, among other facilities.
2 A dedicated leaks site (DLS) is a website on which threat actors publish stolen data during ransomware attacks when victims do not pay. This strategy is part of the double extortion technique implemented by cyber criminals to maximize the odds of receiving payment from the victims.
3 HIPAA is a federal law enacted in 1996 to protect the privacy and security of personal health information (PHI) and establish standards for electronic exchange of healthcare data. The HIPAA Breach Notification Rule requires covered entities to issue data breach notifications to the HHS Secretary no later than 60 days after the date of discovery of a data breach.
4 Tampa General Hospital is one of the most comprehensive medical centers in the region, serving as the teaching hospital for the University of South Florida Morsani College of Medicine.