Brunswick psychiatric hospital in New York latest ransomware victim


The Brunswick Hospital Center, an inpatient treatment facility in Long Island, New York has been claimed by the ThreeAM ransomware group.

The fairly new ransomware group posted the acute care psychiatric hospital on their dark leak blog on Thursday, stating that “files would be available soon."

The 'published' section of the blog entry for Brunswick Hospital Center shows the amount of stolen files downloaded to the site at 0%.

ADVERTISEMENT

No other information was listed about the alleged attack, such as how much or what type of sensitive data may have been exfiltrated from the hospital's network systems.

The Brunswick psychiatric hospital is listed as a 146-bed, state-of-the-art inpatient facility serving teens, adults, and seniors for a wide range of psychiatric illnesses, including drug and alcohol addiction.

A patient's psychotherapy notes and mental health records are considered such sensitive personal health information (PHI) that they are subject to special protections under US law, and both a court order and a subpoena would be needed to get access to them, making the attack even more egregious.

ThreeAM leak site Brunswick hospital
ThreeAM leak site. Image by Cybernews.

First established in 1882 in Amityville, New York, the original psychiatric hospital was part of a main hospital complex, which at one point was the largest private hospital in the United States. Both were demolished in 2012, but only the psychiatric center was rebuilt and reopened sometime before the pandemic.

Brunswick serves roughly 428 patients each year with an average stay of 20 days for each patient at roughly $61,000 per patient, often paid through New York State Medicare.

The Center’s total patient revenue for 2023 was listed as $167.2 million by the American Hospital Directory.

Cybernews has reached out to the treatment center and is waiting for a representative to respond with more information. The Brunswick receptionist we spoke with on Friday was unaware of any issues with their computer systems.

ADVERTISEMENT

Who is ThreeAM?

ThreeAM may appear as a newcomer to the ransomware scene but has been linked by security researchers to the Russian-linked Conti and Royal (now BlackSuit) ransomware gangs due to similarities in communication channels, infrastructure, and tactics.

According to ThreeAM’s onion site, the gang posted its first victim in August 2023 and has claimed 31 victims on its data leak blog. Before the alleged ransomware attack on the Brunswick Hospital Center, the gang claimed its last victim nearly four months ago, on May 15th, 2024.

ThreeAM’s last two victims – the Louisiana-based HVAC company in May and a French real estate development firm in April – show only 10% of the data published by the group. All other victims show 100% of data published.

ThreeAM leak site Brunswick hospital 2
ThreeAM leak site. Image by Cybernews.

According to a September 2023 profile by Symantec, the ThreeAM ransomware strain gained notoriety after it was “used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network.”

When the LockBit ransomware variant was blocked by the target, the ransomware affiliate switched successfully to the ThreeAM strain.

According to Symantec, the ransomware is written in the Rust programming language and “attempts to stop multiple services on the infected computer before it begins encrypting files."

The group is known for using the Cobalt Strike post-exploitation tool for reconnaissance and lateral movement.

Another ThreeAM profile by SOCRadar shows that the gang primarily targets companies in the US, the UK, and France in the manufacturing, transportation, and professional IT sectors.

ADVERTISEMENT

Since its inception the group has adopted new extortion tactics, such as using social media to publicize data leaks and using automated bots to direct high-ranking followers to the data leaks, SocRadar said.