Cyber Incident Victim: Clinica Santa Chiara di Locarno
Date:
Mar 2023
Location:
Switzerland
Summary
A ransomware attack targeted Clinica Santa Chiara di Locarno, involving data encryption and a ransom demand for decryption keys. The organization refused payment, initiated partial system isolation, and engaged specialists to investigate causes and perpetrators. While patient health data remained uncompromised, a significant portion of other data was encrypted, rendering it inaccessible, with potential theft of non-medical information unconfirmed. Operational recovery efforts prioritized data restoration over ransom payment despite longer restoration timelines. Care continuity was maintained through staff adaptation, though the incident caused service disruptions. Investigation remains ongoing to determine full attack vectors and impacts, with authorities examining potential data exfiltration. Ransom specifics, including demanded amounts, were undisclosed publicly.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 1, 2023, Clinica Santa Chiara di Locarno experienced a cyberattack that disrupted its operations. The attackers encrypted a substantial portion of the clinic’s data, rendering critical information temporarily inaccessible for standard workflows. Initial analysis confirmed unauthorized actors exfiltrated data from the organization’s systems, though hospital director Christian Camponovo stated no patient health records were compromised in this breach. Criminal actors subsequently issued a ransom demand via email to the clinic, seeking payment in exchange for the decryption key required to restore access to the locked data. Clinic management immediately refused to negotiate with the attackers or fulfill financial demands, opting instead to pursue data restoration through alternative technical recovery processes.
The clinic initiated a partial isolation of affected IT systems to contain further spread of the attack, engaging a specialized external firm to conduct forensic analysis and identify the intrusion’s root causes. This investigation remained ongoing as of March 9, aiming to establish the full scope of compromised data, identify the perpetrators, and quantify operational consequences. Camponovo acknowledged the data recovery path would prolong operational disruption compared to paying the ransom but emphasized the institution’s commitment to resisting extortion attempts despite the extended restoration timeline. While excluding health data theft, he did not rule out potential exfiltration of other administrative or operational information, with the full impact awaiting formal investigation findings. Despite system unavailability affecting routine workflows, clinical staff maintained patient care continuity through manual contingency protocols and heightened workloads. No explicit details emerged regarding attack vectors, malware variants, or total data volumes impacted, nor was the ransom amount disclosed publicly. The clinic prioritized restoring full operational capacity without capitulating to criminal demands, accepting prolonged recovery efforts as necessary for long-term security integrity.