Singing River breach exposes healthcare data of 250K+ individuals


A ransomware attack against the Mississippi-based healthcare provider, which forced several hospitals to go offline and manually process patient care for several days, has exposed a trove of sensitive patient data.

Singing River started contacting individuals impacted by the August ransomware attack, severely affecting the US hospital system. According to the breach notification letter, which Singing River submitted to the Maine Attorney General, attackers roamed the company‘s systems for over 48 hours in late August of 2023.

“The investigation determined that the information potentially impacted may include your name, date of birth, address, Social Security number, medical information, and health information. We have no evidence that any of your information was used for identity theft or fraud,” the healthcare provider said.

ADVERTISEMENT

Individual healthcare data can be sold for hundreds of dollars on dark web forums. For example, malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

Data that the healthcare provider submitted to the authorities revealed that the attack exposed 252,890 individuals in total. Singing River said it would provide its impacted customers with credit monitoring and identity restoration services to mitigate potential issues if the exposed data was misused.

The Rhysida ransomware gang, which was behind the attack, breached several hospitals in the late summer of 2023. Three Singing River hospitals and a dozen medical clinics were affected. Its laboratory and radiology testing facilities were forced to work using paper-order tests and radiology exams due to the attack.

Who is Rhysida?

According to US government officials who profiled the group on November 15th, the ransomware gang hit the ransomware scene in late May.

The group, which is suspected to be made of veteran ransomware operators, made headlines with several high-profile attacks, including the British Library and Sony-owned video game maker Insomniac.

The US Cybersecurity Infrastructure and Security Agency (CISA) said Rhysida is known for going after “targets of opportunity,” including education, healthcare, manufacturing, information technology, and government sectors.

ADVERTISEMENT

Rhysida has also been observed operating as a ransomware-as-a-service (RaaS) outfit, leasing out ransomware tools and infrastructure in a profit-sharing model.

According to Cybernews’ ransomware monitoring tool, Ransomlooker, Rhysida has publicly claimed nearly 50 organizations over the last 12 months.

Known to initially exploit its targets using social engineering to obtain valid credentials and escalate privileges via public-facing applications, the group often sets up live auctions on its dark leak site, offering up its victim’s data to the highest bidder.