Morris Hospital attack impacts 250k individuals, medical data exposed


An attack on Morris Hospital and Healthcare Centers has exposed former and current patients, employees, and their families. Compromised files include medical record numbers, diagnostic codes, and other data.

Morris Hospital, an Illinois-based healthcare organisation, has started notifying individuals impacted by the April attack. In late May, the Royal ransomware gang listed Morris Hospital on its dark web blog, which it uses to showcase its latest victims.

A breach notification letter sent to impacted victims showcases the massive scale of the attack. The cybercrooks stole information about “current and former employees and their dependents or beneficiaries, as well as current and former patients of Morris Hospital.”

According to Morris Hospital’s letter to the Maine Attorney General, 248,943 individuals were exposed in the attack. The attackers may have accessed:

  • Names
  • Addresses
  • Social Security numbers
  • Medical record numbers
  • Codes used to identify diagnoses and treatments
  • Dates of birth of employees and their relatives who were patients at the hospital

Individual healthcare data can be sold for hundreds of dollars on dark web forums. Malicious actors use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personal identifiable information (PII) may be used to commit fraud: from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

Morris Hospital will provide impacted individuals with identity theft resolution services free of charge. However, attack victims need to enroll in the service by themselves.

A Cybersecurity and Infrastructure Security Agency (CISA) advisory about the group released in March said that Royal ransom demands could range from approximately $1 million to $11 million in Bitcoin.

Royal was first discovered in 2022 and quickly caught up with better-known ransom outfits such as Lockbit, BlackCat, and Vice Society. The group is reportedly made up of former threat actors from other Russian-linked cyber gangs, including the now-defunct Conti group.

The CISA advisory warned that the gang was specifically targeting critical infrastructure with their own Royal ransomware variant, “which uses a custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader.”