Fraud Management & Cybercrime , Healthcare , Industry Specific

Rhysida Claims Major Data Theft From 2 More Health Systems

Group Threatens to Sell Data From Bayhealth and Community Care Alliance on Dark Web
Rhysida Claims Major Data Theft From 2 More Health Systems
Image: Rhysida

Ransomware group Rhysida is shaking down at least two new victims in the healthcare sector - Bayhealth and Community Care Alliance - threatening to sell or dump patients' sensitive health and personal information on the dark web.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

Rhysida's latest alleged victims include Delaware-based Bayhealth, a not-for-profit healthcare system with several hospitals, 4,000 employees, and 650 physicians and other clinicians - and also Rhode Island-based Community Care Alliance, which offers programs for individuals dealing with mental illness, addiction, housing issues and trauma-related issues.

Rhysida claims to have stolen the personal information of Bayhealth patients, demanding a 25 bitcoin payment, or about $1.5 million. "With just 7 days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!," Rhysida boasted on its dark web listing for Bayhealth on Friday.

Rhysida is demanding 25 bitcoins for data it claims it stole from Bayhealth.

Bayhealth president and CEO Terry Murphy in a statement to Information Security Media Group said the organizations recently identified unusual activity on its network, and acknowledged that attackers have claimed to have the organization's data.

"On Aug. 7, we were made aware that a third party claimed to have taken and posted Bayhealth data. We will continue to keep stakeholders informed as appropriate as the situation develops," Murphy said.

Upon discovery of the incident, Bayhealth took proactive measures to mitigate potential risks, including disconnecting from specific external systems, he said. "This action led to temporary interruptions in access to a limited number of systems," Murphy said.

Bayhealth has launched an investigation with a third-party forensic firm to determine the incident’s nature and scope, he said.

"While that investigation is ongoing, we have reestablished external connections and are now operating at normal capacity."

Bayhealth did not comment to ISMG on whether Rhysida is behind the attack.

Rhysida says it has 2.5 terabytes of stolen Community Care Alliance data.

In Rhysida's dark website listing for Community Care Alliance, the cybercriminal group claims to have stolen a SQL database with more than 2.5 terabytes of data containing personal information including addresses, Social Security numbers, phone numbers and credit card numbers.

Community Care Alliance declined ISMG's request for comment on Rhysida's claims. The community services organization on Friday did not have a notice or statement about the alleged incident posted on its website.

Other Victims

Rhysida has been at the center of several recent high-profile hacks in the healthcare sector, including an attack on Ann & Robert H. Lurie Children's Hospital of Chicago that disrupted the pediatric hospitals' IT systems for weeks and resulting in data theft affecting nearly 776,000 people.

As of Friday, Lurie Children's was still listed as a victim on Rhysida's dark web site. The ransomware group in February put the "exclusive data" up for sale for $3.4 million (see: Rhysida Offers to Sell Children's Hospital Data for $3.4M).

Rhysida also claimed credit last year for an attack on California-based Prospect Medical Holdings that disrupted IT operations at 16 hospitals in several states. That attack, which resulted in a data breach affecting 1.3 million people, is still causing mounting business and legal headaches for Prospect Medical.

The organization faces a consolidated proposed federal class action lawsuit over the breached data, and it is locked in litigation with a Connecticut-based healthcare provider that had planned to buy several Prospect Medical hospitals in that state. The deal was signed before the cyberattack allegedly worsened those facilities' financial conditions and exposed other shortcomings (see: Prospect Medical Facing More Legal Fallout From 2023 Hack).

But Rhysida doesn't just target healthcare sector entities. The group's website lists 112 victim organizations, including educational institutions and government agencies.

Among them is a recent hack on the City of Columbus, Ohio. Rhysida is selling 6.5TB of databases, internal logins and passwords of employees, and "a full dump of servers with emergency services applications of the city, access from city video cameras" that the gang claims to have stolen from the city.

Rhysida’s ransomware operations date back to at least June of 2023, when security experts first observed victims posted to the group’s data leak site, said Jason Baker, senior threat consultant at GuidePoint Security.

"In that time, we’ve seen the group post 114 victims - excluding any which may have opted to pay the ransom before posting," he said.

Some security research from late 2023 to present day found ties between Rhysida and the now-defunct Vice Society ransomware and extortion group, based largely on the overlapping emphasis on education and healthcare organizations, sequential operations and some overlaps in tactics, techniques and procedures, he said.

"We lack confidence based on insufficient data and reporting to ascribe Rhysida as a wholesale 'rebrand' of Vice Society, though the participation of former Vice Society operators as affiliates of Rhysida is possible," Baker said.

Compared to other ransomware groups since the start of 2024, Rhysida is notable but not the most prolific offender in terms of number of victims, he said.

The LockBit group accounts for 17% of observed attacks against healthcare organizations, followed by Bianlian at 10%, and Hunters International, INC Ransom and RansomHub with each accounting for 7% of the assaults, he said. That outpaces Rhysida, which accounted for only about 3% of healthcare attacks, Baker said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.