BACKGROUND:
The Times of Israel is reporting Black Shadow hackers leak medical records of 290,000 Israeli patients. The Iran-linked Black Shadow ransomware group released the medical records of the entire directory from Machon Mor medical institute, including information on treatments and appointments. This occurred the same day the group released the full database the LGTBQ dating website Atraf. Excerpts:
- The directory reportedly includes information on patients’ blood tests, treatments, appointments for gynecologists, CT scans, ultrasounds, colonoscopies, vaccinations for flights abroad, and more.
- The group uploaded the file to a channel on the Telegram messaging app after a ransom demand of $1 million in digital currency to prevent the leak was apparently not paid. The group wrote, in broken English, “48 hours ended! Nobody send us money. This is not the end, we have more plan.”
- The group also posted screenshots of what it said were negotiations over the ransom. In the images of the conversations, Black Shadow supposedly refuses a ransom of $500,000. CyberServe denied negotiating with the hackers.
<p>The importance of protecting healthcare data is often understated. In particular, where it relates to information such as this, whose unauthorized release can be personally devastating to the individuals concerned. As demonstrated in two research reports that we published in 2021, there is still much work to do in the security of healthcare systems. We hope that organizations that handle all types of healthcare data will redouble their efforts to make their security best-in-class to avoid more incidents like this one.</p>
<p>The most dangerous of breaches are those that have a medical connection, and the Black Shadow group has reportedly done exactly that, releasing both records and appointments for 290,000 Israeli patients. The lack of protection for patients by hospitals and other medical facilities continues to remain troubling.</p>
<p>Medical records deserve a much better level of protection than they are allocated today. If we can’t provide that level, at a minimum we have to monitor medical systems and databases to be able to retain people’s confidence in their data. Losing confidence means losing the battle to keep our health information private. Medical facilities simply aren’t protecting and managing their data to the extent that should be required.</p>