Cyber Incident Victim: Groupement Hospitalier de Territoire Cœur Grand Est
Date:
Apr 2022
Location:
France
Summary
The Groupement Hospitalier de Territoire Cœur Grand Est, serving multiple healthcare facilities, experienced a cyberattack involving unauthorized copying of primarily administrative data while patient records and critical internal systems remained operational. The organization isolated its information systems from the internet to contain the threat and prevent further exploitation of vulnerabilities, maintaining patient care continuity through adapted operational protocols without network connectivity. Forensic efforts focused on damage assessment and restoring secure external communications, with legal action planned against the perpetrators targeting public health institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 19, 2022, the Groupement Hospitalier de Territoire (GHT) Cœur Grand Est, a network of healthcare facilities serving Bar-le-Duc, Verdun, Saint-Dizier, Vitry-le-François, and affiliated units like the Ehpad nursing homes in Vitry-le-François and Thiéblemont-Farémont, experienced a malicious cyberattack originating from a foreign source. The attackers infiltrated the hospital group’s systems and copied primarily administrative data, though critical clinical applications and internal software supporting daily operations remained unaffected. This preservation of core medical systems allowed patient records to remain fully functional, ensuring uninterrupted patient care across all facilities. The GHT’s management confirmed the breach through an official statement, emphasizing that no clinical operations or emergency services were disrupted. The attack’s focus on administrative data—rather than medical systems—suggested a deliberate attempt to exfiltrate sensitive organizational information without directly compromising healthcare delivery.
In response, the GHT initiated immediate containment measures by disconnecting all affected information systems from the internet on the evening of April 20, 2022, one day after the intrusion was detected. This network isolation strategy aimed to prevent further exploitation of the vulnerability exploited in the attack and remained in effect until the risk of additional breaches was fully eliminated. Concurrently, the GHT’s IT team worked to assess the extent of the data compromise and restore secure external communications channels. Administrative, medical, logistical, and technical staff collaborated to implement alternative workflows that maintained hospital operations without internet connectivity. The organization also announced its intention to file a legal complaint against the attackers, framing the incident as a targeted theft of public health institution data. No patient data breaches or operational disruptions beyond administrative functions were reported, though the prolonged system confinement underscored the complexity of securing critical infrastructure against evolving threats.