Hackers in ransomware attack on Philly-area hospitals post patient data for sale on dark web

A group called Rhysida claims to have 500,000 Social Security numbers, legal documents and medical records and is attempting to sell them for $1.3 million

A ransomware cyberattack recently disrupted operations at four Pennsylvania health care facilities, including Delaware County Memorial Hospital, shown here on Google Maps Street View.

A ransomware gang called Rhysida is attempting to sell data obtained in a cyberattack that shut down hospitals and health care clinics in Pennsylvania and four other states earlier this month.

A trove of sensitive patient data, including over 500,000 Social Security numbers as well as driver's license scans, medical records, passports and other legal documents, was recently posted for sale on the dark web, according to screenshots posted on social media. 

The early August cyberattack on the computer networks of California-based Prospect Medical Holdings disrupted operations at several health care facilities, including four hospitals in Pennsylvania. Delaware County Memorial Hospital in Drexel Hill, Taylor Hospital in Ridley Park, Crozer-Chester Medical Center in Upland and Springfield Hospital in Springfield were all affected. The cyberattack also impacted emergency rooms and clinics in Rhode Island, Connecticut, Texas and California. PMH operates a total of 16 hospitals and 165 clinics nationwide. 

Hackers are reportedly selling the trove of stolen data for 50 Bitcoins, which is equivalent to about $1.3 million. Screenshots obtained by PhillyVoice confirm that the data does include driver's licenses belonging to residents of Pennsylvania and New Jersey, but the entire scope of the data dump's contents is difficult to confirm without gaining access to the files being sold online.

The steep asking price is likely intended as a bargaining tactic designed to put pressure on PMH to pay the hackers and avoid a costly public relations headache, according to cybersecurity threat analyst Brett Callow. 

"Incidents such as this are very bad PR for the organizations concerned and may well result in class actions," Callow said. "Cybercriminals know this and try to fuel their concerns."

The cyberattack forced some PMH-owned health care facilities to postpone surgeries, redirect ambulances and in some cases shutter operations completely. Some of the company's systems are still struggling to get back online and be fully functional.

PMH declined to elaborate on the nature of the attack or provide specifics on the compromised data when contacted by PhillyVoice. 

"Unfortunately, we have now become aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined," PMH said in a statement provided to PhillyVoice. "If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws."

The health care industry has become a leading target of ransomware attacks in recent years due to its copious volume of sensitive patient data, high potential for financial reward and, too often, lackluster cybersecurity protections. Ransomware attacks on hospitals are said to have doubled since 2016, according to U.S. News and World Report.

This isn't the first ransomware attack to target Pennsylvania health care facilities. In 2020, Crozer-Keystone Health System said it had detected and isolated a ransomware attack before it could do much damage. This February, the Lehigh Valley Health Network said it was hit by a ransomware attack initiated by a Russian gang, but declined to the pay the ransom. That attack did not disrupt services or operations like the PMH attack.