HHS issues alert on new ransomware group that claimed radiology provider as 1st US healthcare victim

Health and Human Services recently issued an alert about a new ransomware threat, which claimed a radiology group as its first U.S. healthcare victim.

First discovered in May, BlackSuit operates using a double-extortion method that steals and encrypts sensitive data on a compromised network. Thus far, the ransomware group and strain has been used in a small number of attacks, HHS said in a Nov. 6 alert.

Its only purported victim in the U.S. healthcare sector was an unnamed provider of medical scans and radiology services for almost 1,000 hospitals and health systems in 48 states. The incident occurred in October, with BlackSuit encrypting the provider’s servers and systems using malware.

“The initial impact of the attack caused the victim to shut down computer systems and turn away patients at fixed-site locations,” HHS said. “No further details are known at this time, although given the ubiquitous geographic presence of the victim, significant impacts could still follow.”

Radiology provider Akumin experienced a significant ransomware attack in October that forced it to temporarily postpone most of its clinical and diagnostic operations. The Plantation, Florida-based company’s website says it serves about 1,000 hospitals and health systems across 48 states. However, Akumin did not respond to messages Friday seeking to confirm the connection.

BlackSuit has “significant similarities” to the Royal ransomware family, a direct successor of the “notorious” Russian-linked Conti operation, HHS noted.

“Both Royal and the now-defunct Conti are known to have aggressively targeted the [healthcare and public health] sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly,” the agency said in its alert.

One cybersecurity company documented at least three attacks involving the BlackSuit encryptor, with ransom requests below $1 million. Another company annotated at least five attacks in the manufacturing, business technology, retail and government sectors spanning the U.S., Canada, Brazil and the U.K.

“With only a small number of victims, the ransomware gang is considered more infamous for their purported connections to the more prolific Royal ransomware family,” HHS said. “If their connection is confirmed, it would augment BlackSuit as a threat actor to be closely watched in the near future.”

Marty Stempniak

Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic. 

Around the web

The patient, who was being cared for in the ICU, was not accompanied or monitored by nursing staff during his exam, despite being sedated.

The nuclear imaging isotope shortage of molybdenum-99 may be over now that the sidelined reactor is restarting. ASNC's president says PET and new SPECT technologies helped cardiac imaging labs better weather the storm.

CMS has more than doubled the CCTA payment rate from $175 to $357.13. The move, expected to have a significant impact on the utilization of cardiac CT, received immediate praise from imaging specialists.