Multi-hospital ransom attack in US claimed by Rhysida gang


The early August ransomware attack on California-based Prospect Medical Holdings (PMH) a multi-state conglomerate of over a dozen major hospitals and more than 150 outpatient facilities has been claimed by the Rhysida ransom group.

The PMH ransom attack, which took place on August 3rd, 2023 forced some hospitals to suspend emergency and ambulatory services in the northeast, with many facilities still closed or having major issues three weeks later absent online services.

Besides posting PMH as a victim on their dark leak site on Thursday, the threat actor has also set up a live auction to sell more than two terabytes of data allegedly stolen in the attack.

500K personal data on auction block

“BIG sale!!” Rhysida advertised on its auction page, along with another ransom victim, Pierce College, located in northwestern Washington state.

The group is claiming to have "kindly been provided" the sensitive data of over half a million PMH patients and employees data alleged to include social security numbers, passports, driver's licenses, patient medical files, plus legal and financial documents.

"Introducing our new partners – Prospect Medical Holdings....If you are interested in our partner's confidential documents, you will be able to purchase them too!!! Total 1TB unique files, as well as 1.3TB SQL database,” Rhysida posted.

Rhysida PMH data auction
Rhysida dark leak site

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data,” the post reads.

“We sell only to one hand, no reselling, you will be the only owner!” the group said.

The gang also posted several samples of the 500,000 social security numbers and passports, along with its price tag of 50 Bitcoin, on another page link.

Rhysida PMH data samples
Rhysida dark leak site

The group has set a countdown clock set to expire nine days from Thursday's auction post, which, from the date of this report, should be September 1st.

Hospitals struggle to reopen

Meanwhile, a banner seen at the top of all affected PMH hospital websites states, “Prospect Medical Holdings, along with all Prospect Medical facilities, is experiencing a systemwide outage. We are working to resolve the issue as soon as possible and regret any inconvenience.”

Prospect Medical Holdings ransomware attack
PMH website

The medical group owns and operates 17 hospitals and a network of more than 165 outpatient facilities and clinics across five states: Connecticut, New Jersey, Pennsylvania, Rhode Island, and Southern California, including Los Angeles.

Some of the hospital closures and diverting of patients, such as Waterbury Hospital in Connecticut, triggered an investigation into the attacks by local FBI field offices.

Part of the PMH’s Eastern Connecticut Healthcare Network, the hospital has also been forced to revert to using paper records.

The ransomware attacks also caused network systems to go down at nearly half a dozen hospitals and facilities in Pennsylvania under the PMH subsidiary Crozer Health.

PMH has not given an estimated time frame of when services will return to normal.

Who is Rhysida?

A newcomer to the ransomware scene – according to a warning bulletin released by the US Department of Health and Human Services on August 4th – Rhysida is apparently named after a large species of toxic centipede originating from Africa.

Rhysida ranson group logo
Rhysida dark leak site

Rhysida is thought to have ties to the Vice Society ransom gang, notorious for its attacks on the education sector, primarily in the US, Canada, and the UK.

Rhysida, operating as a ransomware-as-a-service (RaaS) group, was first seen in May of this year. The group made waves after a successful attack on the Chilean government, which included leaking stolen data online in June.

Since then, the threat actor has already added at least eight victims to its dark web data leak site and has published all stolen files for five of them, the bulletin said. Since the bulletin was released, there are now 40 victims listed on Rhysida's dark leak site.

The gang typically launches its unsophisticated namesake ransomware via phishing attacks and Cobalt Strike to breach a victim’s network and deploy their payloads.

The group is known for targeting the healthcare industry, although it has also hit the education, government, manufacturing, and technology sectors as well. Rhysida is said to primarily focus on targets in Western Europe, North and South America, and Australia.