Cyber Incident Victim: Saint Francis Health System
Date:
Sep 2016
Location:
United States of America
Summary
A healthcare provider in Oklahoma experienced a cyberattack involving unauthorized access to its web servers, with threat actors claiming theft of medical records, consent forms, and internal employee suggestions. The attackers demanded a ransom in Bitcoin to prevent public data release, alleging vulnerabilities in the organization's web applications. Samples of compromised data included patient names, addresses, dates of birth, medical procedure details, and physician information, though the authenticity and recency of the data were unclear. The organization's website experienced temporary downtime during the incident. While initially attributed to a known threat group, subsequent reports cast doubt on this attribution, with sources indicating the involvement of different actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early September 2016, St. Francis Health System, a hospital and clinic network based in Tulsa, Oklahoma, experienced a cyberattack. The attackers, initially claiming to be the threat actor "TheDarkOverlord," publicly announced on September 14 that they had compromised the organization's web servers the prior week. They demanded a ransom of 24 Bitcoins (approximately $15,000 at the time) by an unspecified Sunday deadline, threatening to release stolen data if unpaid. The attackers claimed the breach resulted from a "giant gaping hole" in St. Francis's web application security. As proof, they posted samples from three databases: a "diabetes" table containing names, addresses, dates of birth, and unspecified medical information dated to 2008; a "ConsentsRecentlyGenerated" table showing patient names, birth dates, medical procedure consents, timestamps, and physician names; and a "Tips" table with employee suggestions for improving patient satisfaction. The authenticity of these samples was not independently verified at the time of reporting. During the initial disclosure period, St. Francis's website became inaccessible, though it later resumed normal operation.
St. Francis Health System did not publicly confirm or deny the breach in available reporting. DataBreaches.net attempted to contact the organization via voicemail but received no verification of the incident. Subsequent investigative updates introduced uncertainty about the attackers' identity. A source claiming proximity to TheDarkOverlord stated the group denied involvement in the St. Francis attack, suggesting potential impersonation by another party. The attackers' communication style also raised questions about whether the operation represented a continuation of TheDarkOverlord's prior medical sector targeting from May-June 2016 or a copycat operation. No evidence of data leakage beyond the provided samples was documented in available sources, and the hospital's post-incident containment measures were not disclosed. The operational impact was limited to temporary website unavailability, while potential risks included exposure of patient PII/PHI and organizational reputational damage.