Fraud Management & Cybercrime , Healthcare , Industry Specific

Mississippi Health System Ransomware Attack Affects 253,000

Report to State Regulators Indicates Big Jump in Number of Patients Affected
Mississippi Health System Ransomware Attack Affects 253,000
Singing River Health System was hit by a ransomware attack last August that has compromised the information of nearly 253,000 patients. (Image: Singing River)

A Mississippi health system is notifying nearly 253,000 individuals that their sensitive information was potentially compromised in a "malicious and sophisticated ransomware" attack that also took IT systems offline for several days last summer. The cybercriminal gang Rhysida had claimed responsibility for the assault.

See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction

Singing River Health System, which operates three hospitals and over a dozen medical clinics serving the Mississippi Gulf Coast, told the Maine attorney general's office on Friday that 38 Maine residents had been among the 252,890 people affected by the incident.

In the immediate aftermath of the attack last summer, laboratory and radiology testing were among the Singing River patient services affected by the IT systems outage. For a time, Singing River's Epic electronic medical record system was taken offline as the entity responded to the incident.

The cybercrime gang Rhysida claimed credit on its dark web site for at least one other high-profile healthcare sector attack last August, according to reporting by DataBreaches.net.

Rhysida also claimed responsibility for an attack last August on California-based hospital chain Prospect Medical Holdings, which disrupted the entity's IT systems for several weeks (see: Fallout Mounting From Recent Major Health Data Hacks).

HHS' Health Sector Cybersecurity Coordination Center issued an alert in August that warned of escalating attacks by Rhysida on the healthcare sector since the group first emerged in May 2023 (see: Authorities Warn Health Sector of Attacks by Rhysida Group).

Dark web monitoring site DarkFeed.io on Monday counted 76 total Rhysida victims.

In its sample breach notice to the Maine attorney general's office, Singing River said it had discovered the attack on Aug. 19, 2023. The organization said its investigation had determined that unauthorized access within its IT environment occurred between Aug. 16 and Aug. 18. Potentially affected information includes patient name, birthdate, address, Social Security number, medical information and health information.

The organization said it has no evidence that any of the information was used for identity theft or fraud, but it is offering affected individuals 12 months of complimentary identity and credit monitoring.

"Singing River Health System is also working to implement additional safeguards and training to its employees," the notice said.

HHS HC3's alert warned that Rhysida ransomware is deployed in multiple ways. Primary methods include breaching targets' networks through phishing attacks and by dropping payloads across compromised systems after first deploying Cobalt Strike or similar command-and-control frameworks.

Earlier Estimate

While more than 250,000 people have been affected by the Singing River attack, the health system reported the hacking incident to federal regulators on Oct. 18 as affecting only 501 people, a placeholder estimate.

That substantially lower figure still remains posted on the U.S. Department of Health and Human Service's HIPAA Breach Reporting Tool website of major health data breaches affecting 500 or more individuals.

In most cases, HHS' Office for Civil Rights tends not to update the figures posted on its public-facing HIPAA breach reporting website once a breached entity submits its initial report to the agency.

Some experts said the low-ball initial estimates that stay posted on the federal site are misleading to the public and should be updated by the agency as a matter of practice, especially when the number of affected individuals in a breach climbs substantially.

"Most of the public does not know that a submission of 501 disclosed records is actually a placeholder and may take away a false sense of security that the disclosure is unlikely to affect them personally," said Mike Hamilton, co-founder and CISO of security firm Critical Insight.

"It further hobbles researchers from performing the type of analysis that would help to quantify trends in targeting and methods that are 'effective' by the gangs," he said.

Yet at the same time, "the continuing focus on records is almost an artifact of the 20th century at this point," he said.

"The massive number of records that have been disclosed in just the past year tops 100 million - nearly one-third of all Americans," Hamilton said.

"We have all become numb to the continuing parade of announcements that our privacy, health, financial and other information is out for sale on dark markets. Another few hundred thousand records is almost noise at this point versus meaningful signal."

Singing River did not immediately respond to Information Security Media Group's request for comment and additional details about the ransomware incident.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.