The practice of ransomware actors targeting healthcare organizations continues, as three big organizations in the sector suffered apparent or confirmed attacks. DaVita, a dialysis firm that provides its services at approximately 3,000 outpatient centers worldwide, became aware of a ransomware incident on April 12 that affected and encrypted "certain on-premises systems," according to a dedicated incident response website. The firm is currently responding to the incident and is relying on contingency plans and manual processes. Care delivery continues at both its centers and for home care patients, the company said. The identity of the ransomware group behind the attack remains unknown.[1]
The second attack involved Bell Ambulance of Milwaukee, WI, which disclosed a "data security incident" on 14 April 2025. The company, which services the state of Wisconsin and answers more than 120,000 calls for ambulance services each year, said it first became aware of the incident on 13 February 2025. Bell Ambulance later confirmed "an unauthorized individual accessed data within its network." The Medusa ransomware gang claimed an attack against the company last month. "This review is ongoing," Bell said on a disclosure page. "However, to date, Bell has determined the information impacted may include individuals' first and last name in combination with one or more of the following data elements: date of birth, Social Security number, driver's license number, financial account information, medical information, and/or health insurance information."
The third organization was Alabama Ophthalmology Associates, which disclosed an attack on April 10 via a press release. The attack was first discovered on Jan. 30, and an investigation began soon after. "The investigation revealed certain personal/protected health information was accessed and acquired without authorization by an unknown actor between 22 January and 30 January 2025," the press release read. "AOA undertook a comprehensive review of the impacted data to identify the individuals and information involved, which concluded on 19 March 2025. AOA then took steps to provide notification as quickly as possible."
The actor accessed data belonging to current and past patients and may have potentially included names, addresses, dates of birth, driver's license information, Social Security numbers, medical information, and health insurance information. The organization said that not all of these types of data affected all individuals. The BianLian ransomware group took credit for the attack in February.
See: https://redskyalliance.org/xindustry/bianlian
These three attacks alone affected data belonging to hundreds of thousands of individuals, according to data from the US Department of Health and Human Services (HHS).
According to the HHS's breach tracker, Bell Ambulance's attack affected 114,000 individuals; the Alabama Ophthalmology Associates attack affected 131,576 individuals. The tracker has detailed 194 data breaches against relevant organizations to date this year. It is, unfortunately, no surprise that healthcare is such a popular target for threat actors. Patient data is so sensitive, and the stakes of losing it are so high, that threat actors believe they can get paid more and faster as a result of stealing it.
To illustrate this impact, Change Healthcare, which suffered a devastating attack last spring resulting in the theft of records belonging to 190 million people. The BlackCat/ALPHV ransomware gang's attack against the United Healthcare subsidiary, which provides payment cycle management services to healthcare organizations, had a massive downstream impact, temporarily disrupting the ability for many providers and pharmacies to deliver critical services.
See: https://redskyalliance.org/xindustry/those-darn-blackcats
According to a Microsoft study published last October, ransomware attacks have surged by 300% since 2015.
Attacks on healthcare organizations don't seem to be slowing down. Anton Ovrutsky, principal threat hunting and response analyst at Huntress, tells Dark Reading that approximately 10% of all cases handled by its incident response team involve the healthcare industry, with a "large portion" of these incidents being ransomware. "The unique combination of specialized applications, mission-critical systems, and authentication requirements all combine to place healthcare organizations at a unique disadvantage when it comes to security posture and the ability to fend off ransomware attacks," he says. "We unfortunately see threat actors as having a lot of success within healthcare organizations, with compromise of one machine often leading to privileged access, which puts the threat actor in an optimal position for maximum impact."
As such, there's no better time to shore up one's defenses than the present. Ovrutsky emphasizes above all else that "brilliance is in the basics. It's easy to get caught up in the latest and greatest cybersecurity," he says. "We often find that common controls such as strong passwords, multifactor authentication, and properly segmented networks are the aspects that serve to stop threat actors. Focus on the external perimeter, expose only what you must, and place strong identity controls on the rest."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/cyberattacks-data-breaches/healthcare-orgs-hit-ransomeware-attacks
Comments