French hospital group disconnects internet after hackers steal data

The GHT Coeur Grand Est. The Hospitals and Healthcare group disconnected all incoming and outgoing internet connections after discovering that it had suffered a cyberattack that resulted in the theft of sensitive administrative and patient data.

GHT is a hospital network located in the North-East of France comprising nine sites, 6,000 employees and around 3,370 beds.

The cyberattack occurred on April 19 and affected the Vitry-le-François and Saint-Dizier hospitals, forcing GHT to disconnect internet connections to hospitals to prevent the attack from spreading and further data theft.

“The GHT Cœur Grand Est has cut all incoming and outgoing internet connections to its establishments in order to protect and secure information systems and data”, reads a press release translated from the GHT.

“This computer containment will continue until the risk of a new attack exploiting the flaw created is completely circumscribed. For this purpose, certain online services are temporarily unavailable (making appointments, etc.).”

The hospital network says the attackers also managed to copy administrative computer data stored in the facility’s systems and warns that other threat actors could publish and use the data.

Patient care continues as usual, while software used in hospitals was unaffected by this incident, so all IT systems remain operational.

However, online services remain impacted while investigating the flaw that allowed threat actors to access their network.

Additionally, due to the data breach that took place, the risk of social engineering attacks and scams against patients or hospital employees has increased significantly.

To mitigate this risk, GHT’s announcement urges everyone to remain vigilant of emails, text messages and phone calls and to report any suspicious requests to law enforcement authorities.

Victim of industrial espionage

While the hospital center’s ad contains no attribution clues, Bleeping Computer saw a new entry on the website of Industrial Spy, the new marketplace for stolen data.

Industrial Spy listing GHT on site
Industrial Spy listing GHT on site (computer beeping)

Industrial Spy is a dark web platform that poses as a marketplace for buying corporate data containing sensitive information such as schematics, financial reports, trade secrets, and customer databases.

In this case, however, Industrial Spy is not offering anything that would attract a competitor’s attention. Instead, the dataset exposes patient data among other administrative documents.

The market says they allegedly extorted the hospital network for $1,300,000, but after the deadline expired, the threat actors put the 28.7 GB of stolen data up for sale on the site.

Threat actors say personal data stolen from patients includes social security numbers, passport scans, banking information, emails and phone numbers.

Patient data included in the dataset
Patient information in the dataset

Valéry Riess-Marchivethe editor-in-chief of French news portal LeMagIT, told Bleeping Computer that while GHT is a large group of public medical institutions, the cyberattack appears to only affect Vitry-Le-François hospital.

The journalist told us that most of the hospitals in the GHT network operate their own IT infrastructure, although some overlaps are apparent from DNS records, such as the common infrastructure between Vitry-Le-François and Saint-Dizier hospital.

Despite this, the two don’t appear to be on the same Microsoft 365 tenant, so the most crucial parts of the infrastructure are still separate.

Other French hospital offenses

At the end of March, the Castelluccio hospital in Corsica was hit by hackers who also managed to exfiltrate sensitive patient data and other documents during the attack.

The incident was immediately revealed to the public and had a negative impact on the functioning of radiation therapy in the hospital’s oncology department.

This weekend, Vice Society, another stolen data marketplace, released the exfiltrated documents allegedly derived from the attack on Castelluccio Hospital, making them available for purchase.

Vice Society lists Castelluccio Hospital
Vice Society lists Castelluccio Hospital (KELA)

These include employee correspondence, HR information, patient records, identities, social security coverage details, etc.

Comments are closed.