Hospital workers waiting around

The GHT Coeur Grand Est. Hospitals and Health Care group has disconnected all incoming and outgoing Internet connections after discovering they suffered a cyberattack that resulted in the theft of sensitive administrative and patient data.

GHT is a hospital network located in Northeast France consisting of nine locations, 6,000 employees, and approximately 3,370 beds.

The cyberattack occurred on April 19th and affected the CHs of Vitry-le-François and Saint-Dizier, causing GHT to disconnect Internet connections to the hospitals to prevent the attack's spread and further data theft.

"The GHT Cœur Grand Est has cut all incoming and outgoing internet connections from its establishments in order to protect and secure information systems and data," reads a translated statement from GHT.

"This computer containment will continue until the risk of a new attack exploiting the flaw created is completely circumscribed. To this end, some online services are temporarily unavailable (making appointments, etc.)."

The hospital network says that the attackers also managed to copy administrative computer data stored in the establishment's systems and warn that other threat actors may publish and use the data.

Patient care continues as usual, while the software used in the hospitals has not been affected by this incident, so all IT systems remain operational.

However, online services remain impacted while investigating the flaw that allowed the threat actors access to their network.

Furthermore, due to the data breach that has taken place, the risk of social engineering attacks and scams against patients or hospital employees has increased dramatically.

To mitigate this risk, GHT's announcement urges everyone to stay vigilant against emails, SMS, and phone calls and report any suspicious requests to law enforcement authorities.

Industrial Spy victim

While the hospital center’s announcement doesn’t contain attribution clues, Bleeping Computer has seen a new entry on Industrial Spy’s website, the new market for stolen data.

Industrial Spy listing GHT on the site
Industrial Spy listing GHT on the site (Bleeping Computer)

Industrial Spy is a dark web platform that promotes itself as a marketplace for buying corporate data that contain sensitive information like schematics, financial reports, trade secrets, and client databases.

In this case, however, Industrial Spy isn’t offering anything that could draw the attention of a competitor. Instead, the data set exposes patient data among other administrative documents.

The marketplace says they allegedly extorted the hospital network for $1,300,000, but after the timer ran out, the threat actors put the 28.7 GB of stolen data up for purchase on the site.

The threat actors claim the stolen personal data of patients includes social security numbers, passport scans, banking info, emails, and phone numbers.

Patient data included in the data set
Patient info in the data set

Valéry Rieß-Marchive, the editor-in-chief of the French infosec news portal LeMagIT, told Bleeping Computer that while GHT is a large group of public medical facilities, the cyberattack appears to only impact the hospital in Vitry-Le-François.

The reporter told us that most hospitals within the GHT network operate their own IT infrastructure, although some overlaps become apparent from DNS records, like the common infrastructure between Vitry-Le-François and the Hospital of Saint-Dizier.

Despite that, the two don't appear to be on the same Microsoft 365 tenant, so the most crucial infrastructure parts are still separate.

Other French hospital breaches

At the end of March, the Hospital de Castelluccio in Corsica was hit by hackers who also managed to exfiltrate sensitive patient data and other documents during the attack.

The incident was disclosed to the public immediately and had negative repercussions on the operation of radiotherapy in the hospital’s oncology unit.

This weekend, Vice Society, another stolen data marketplace, published the exfiltrated documents allegedly derived from the attack on the Castelluccio hospital, making them available for purchase.

Vice Society lists Castelluccio hospital
Vice Society lists Castelluccio hospital (KELA)

These include employee correspondence, HR information, patient records, identities, social security coverage details, and more.

Related Articles:

AT&T says leaked data of 70 million people is not from its systems

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

French unemployment agency data breach impacts 43 million people

Nissan confirms ransomware attack exposed data of 100,000 people

Acer confirms Philippines employee data leaked on hacking forum