Cyber Incident Victim: Morris Hospital & Healthcare Centers

On May 22, 2023, the Royal ransomware group publicly claimed responsibility for an attack on Morris Hospital by adding the organization to their data leak site. The group supported their claim by publishing a small sample of files allegedly exfiltrated from the hospital's network. This public declaration by the threat actors served as the initial external indicator of a security incident. The following day, on May 23, Morris Hospital responded by posting a formal statement on its website, which was prominently linked from its homepage. This statement confirmed the organization was actively investigating a cybersecurity incident.

The investigation was initiated after internal security monitoring detected unusual activity on the hospital's computer network. This anomalous activity provided indicators that an unauthorized third party had successfully gained access to the network system. According to the hospital's statement, the compromised network system was separate from the electronic medical record systems used for direct patient care. This architectural segmentation proved critical, as the hospital confirmed its electronic medical record systems were not compromised in the attack. The integrity and availability of these clinical systems meant the incident had no impact on patient care delivery or hospital operations, which continued without interruption.

Upon detection of the unauthorized access, Morris Hospital took immediate action to contain the incident. The specific containment measures were not detailed publicly, but the prompt response was intended to limit the threat actor's ability to move laterally within the network and access additional systems. Following the initial containment, the hospital began an extensive investigation into the scope and impact of the breach. This investigation was conducted with the assistance of independent cybersecurity forensic experts engaged to provide specialized support and analysis.

The forensic investigation process involved a meticulous review of the affected servers. Hospital officials described the effort as an e-discovery process, requiring a review of each individual file on the compromised servers to determine whether any sensitive data was accessed or acquired by the unauthorized third party. This painstaking method is typically employed to accurately ascertain the nature and extent of any data exposure. The hospital's public statement on May 23 noted that this investigative process remained active and ongoing, indicating that a full assessment of what data may have been involved was not yet complete.

Throughout its communications, Morris Hospital emphasized that the numerous IT security measures already implemented prior to the incident were instrumental in preventing a more severe outcome. These existing security controls helped limit the attacker's access and ultimately protected critical patient care systems from being affected. The hospital's statement did not confirm whether the incident involved file encryption or a ransomware deployment, nor did it disclose whether a ransom demand was received from the Royal group. The hospital's position on whether it would pay any potential ransom demand was also not stated publicly. The situation was described as developing, with a commitment to provide further updates as more information became available from the ongoing investigation. The public claim by the Royal ransomware group positioned this incident as part of their broader extortion operations, where data theft and the threat of public release are used as leverage for financial gain.