Cyber Incident Victim: Grupo Germano de Sousa
Date:
Feb 2022
Location:
Portugal
Summary
A cyberattack disrupted operations at a major medical laboratory group, forcing nationwide closures and delaying test results for thousands of patients. The organization described the incident as a criminal act targeting its business, requiring complete system reconstruction. While patient data reportedly remained uncompromised, over 12,000 individuals lacked critical results on the attack day alone. Services gradually resumed starting in northern regions, with full restoration expected within 24-48 hours of system reactivation. The prolonged outage created significant patient backlogs, though administrators anticipated rapid result dissemination once systems were operational.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack on Grupo Germano de Sousa (GGS) laboratories was detected on Thursday, February 3, 2022, forcing the immediate suspension of diagnostic services nationwide. José Germano de Sousa, the group's administrator, publicly characterized the incident as a "cyberattack executed by cowards and criminals" during a February 7 interview with SIC NotÃcias. Technical teams initiated full-scale reconstruction of the compromised IT infrastructure across all regional facilities within hours of discovery. Operations remained halted from Friday, February 4 through the weekend as recovery efforts continued. The organization maintained that no patient data was accessed or exfiltrated during the breach, though no forensic evidence supporting this claim was disclosed. By February 8, partial service restoration enabled a phased reopening beginning with northern Portugal laboratories.
Approximately 12,000 patients failed to receive test results on February 3 alone, with cumulative delays affecting "many thousands" more during the six-day operational shutdown. GGS projected a 24-48 hour processing window to clear the backlog once systems became fully operational. Service expansion followed a geographic rollout plan: Lisbon-area laboratories resumed operations between February 10-11, while southern Portugal facilities reopened on February 10. The administrator acknowledged uncertainty regarding attacker motives but suggested the incident likely constituted a targeted business disruption attempt. No ransomware demands or explicit threat actor claims were referenced in public statements. Restoration priorities focused on reactivating diagnostic reporting systems rather than implementing new security measures during the initial recovery phase.