Cyber Incident Victim: ASST Fatebenefratelli Sacco
Date:
May 2022
Location:
Italy
Summary
A ransomware attack attributed to the Vice Society group compromised the ASST Fatebenefratelli Sacco healthcare provider, disrupting hospital operations including emergency services and forcing medical staff to rely on manual record-keeping due to encrypted clinical folders and inaccessible patient data. The attackers exfiltrated and publicly exposed sensitive information, including minors' health records, employee personal data, and internal organizational documents, indicating potential targeting of shared file servers. Initial system access credentials had reportedly been sold on criminal underground forums months prior, suggesting use of an access-as-a-service model to facilitate the attack. Operational recovery efforts required extended downtime while authorities investigated the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 1, 2022, the ASST Fatebenefratelli Sacco healthcare network in Milan suffered a cyberattack that disrupted operations across its Sacco, Fatebene, Buzzi, and Macedonio Melloni hospitals. The attack rendered critical IT systems inoperable, forcing staff to rely on paper-based processes for patient registration, treatment documentation, and medication administration. Emergency services experienced significant delays, particularly at the Sacco emergency room, Macedonio Melloni, and Buzzi children’s hospital. Medical personnel lost access to electronic health records, ongoing treatment plans, historical medication data, and clinical folders, severely impeding patient care continuity. The disruption persisted through May 2 and was projected to continue through May 3, with no immediate resolution timeline established. Initial analysis suggested ransomware involvement due to reports of encrypted clinical folders, though no group claimed responsibility until weeks later. The healthcare provider promptly notified relevant authorities including the Postal Police, who assisted recovery efforts.
On June 22, 2022, the Vice Society ransomware group publicly claimed responsibility for the attack, confirming the ransomware nature of the incident. The attackers exfiltrated and published sensitive data including patient health records (including minors’ information), employee personal details, fiscal documents, and internal decision-making files. Evidence suggested compromise of file servers and shared network drives, with exposed folder names indicating systemic access to storage infrastructure. Cybersecurity analysts revealed that network access credentials had been available for purchase on criminal forums since January 2022, indicating potential prior unauthorized access by threat actors. The attack exemplified the Access-as-a-Service model, where ransomware operators leverage third-party brokers for initial network infiltration. While some speculation emerged about possible connections to Russia-Ukraine cyber hostilities, no definitive attribution beyond Vice Society was established. Restoration efforts remained ongoing during the initial days following the attack, with full system recovery timelines undisclosed.