Tampa General Hospital (TGH) confirms patient data was compromised during a more than two-week-long cyberattack. Now, multiple ransomware gangs are claiming to possess the stolen data.
TGH, a university-level research medical center in southwest Florida, said it first became aware of the unauthorized access on May 31st.
“Through our proactive monitoring tools, TGH detected unusual activity on our computer systems. We immediately took steps to contain the activity,” the hospital said in a statement posted on its website Friday.
TGH said it immediately brought in outside security and forensic experts, who were able to stop the attackers from encrypting the hospital’s data, "which would have significantly interrupted the hospital’s ability to provide care for patients.”
Unfortunately, after further investigation, TGH determined the threat actors carrying out the attack had infiltrated the network, taking files from the system over the course of nearly two weeks before being discovered.
“An unauthorized third party accessed TGH’s network and obtained certain files from its systems between May 12th and May 30th, 2023,” the hospital said.
The Snatch ransomware group is claiming to have 4T of compromised patient data, posting about the TGH hack on its leak site Friday.
According to the TGH breach notice, the cache of stolen patient information may have included:
- Names, addresses, phone numbers
- Dates of birth,
- Social Security numbers,
- Health insurance information,
- Medical record and patient account numbers,
- Dates of service and/or limited treatment information used for TGH business operations.
The hospital said the specific information stolen varies with each individual but that the TGH’s electronic medical record system was not involved or accessed in the attack.
In a cyber twist, another lesser-known ransomware group, Nokoyawa, was reported to have also claimed the group on its dark leak site Friday, alongside a Canadian door locks manufacturing company.
Cybernews was unable to access the Nokoyawa leak site at the time of this report, but It's not the first time the two groups have had overlapping victims, leading some security insiders to believe the two groups could be connected.
Claimed by multiple ransom gangs
The Snatch ransomware group, said to be operating since 2018, made headlines this spring with its attacks on the City of Modesto, California.
The January-February ransom attack, which Snatch claimed responsibility for a month after, disabled city networks for nearly a week, forcing Modesto police to patrol the city using hand-held radios, pens, and paper.
Snatch is said to use a Ransomware-as-a-Service (RaaS) distribution model, exploiting victims through Remote Desktop Protocol (RDP) vulnerabilities, and claims it will not publish the victim’s data as long as the agreed-upon ransom is paid.
The Nokoyawa ransomware group first emerged in February 2022 and is thought to be related to the now-defunct Hive gang.
Hive and Nokoyawa have “striking similarities in their attack chain, from the tools used to the order in which they execute various steps,” Trend Micro said about the newcomer in a profile report of the gang in 2022.
Security researchers fist spotted Hive in 2021, and considered the group to be among the most active in 2022.
The Russian-affiliated ransom gang was infiltrated and taken down by the FBI after a month-long sting this past February.
Known for targeting the healthcare sector, US authorities say Hive has extorted some $100 million from more than 1,300 companies worldwide since it first surfaced.
Meantime, the 1,040-bed non-profit Tampa hospital said it will be notifying those affected by mail and provide credit and theft monitoring services for those with compromised social security numbers.
TGH said it has also set up a dedicated hotline for patients to call with questions.
More from Cybernews:
Subscribe to our newsletter