Cyber Incident Victim: BJC HealthCare
Date:
May 2022
Location:
United States of America
Summary
A ransomware incident impacted a healthcare organization via the Magniber strain, which recently expanded its targeting to include Windows 11 systems. The malware masqueraded as legitimate Windows update files distributed through forums, cracked software platforms, and fraudulent websites. Upon execution, it encrypted files using RSA-2048 and AES algorithms. Attackers demanded an initial ransom of 0.09 Bitcoin (approximately $2,848 at the time), threatening to double the amount if unpaid within five days and permanently invalidating payment access after an unspecified deadline. This incident coincided with a broader surge in Magniber activity, leveraging its enhanced cross-version Windows compatibility to increase infection rates. The ransomware had previously been active since at least 2017, with notable attacks against South Korean entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 24, 2022, BJC HealthCare experienced a widespread system outage impacting clinical and operational functions across multiple hospitals and outpatient facilities in the Missouri-Illinois region. The disruption began in the early morning hours and affected electronic health records (EHR), scheduling systems, and communication platforms, forcing staff to revert to manual paper-based processes. Several hospitals implemented ambulance diversion protocols due to inability to access real-time bed availability or patient histories, while non-urgent appointments and elective procedures were canceled or rescheduled. BJC activated its downtime contingency plans, including deploying backup documentation forms and prioritizing critical care interventions. The organization publicly acknowledged the incident on May 25 through social media channels, characterizing it as an ongoing "system outage" without initially confirming a cybersecurity link.
BJC engaged third-party cybersecurity forensic experts to investigate the outage's origin while working to restore systems incrementally over subsequent days. Internal communications instructed staff to avoid using personal email or unauthorized cloud storage for patient information during the disruption. The incident caused significant operational delays, with patients reporting prescription processing errors and appointment coordination challenges due to inaccessible digital records. No evidence of unauthorized data access or exfiltration was disclosed during the initial response phase. BJC did not publicly attribute the outage to ransomware or specify whether any threat actors made contact, though the timing coincided with broader regional cybersecurity alerts regarding ransomware campaigns targeting healthcare entities. Restoration timelines varied by facility, with some locations regaining partial EHR functionality within 72 hours while others experienced prolonged interruptions to ancillary services like radiology order transmissions.