Cyber Incident Victim: PAMI

On or around August 1, 2023, the Programa de Atención Médica Integral (PAMI), a comprehensive medical care program, suffered a significant cybersecurity incident confirmed to be a ransomware attack. This type of malware functions by encrypting files on a victim's systems, rendering them inaccessible, and then demanding a monetary ransom in exchange for the decryption key. Official sources confirmed to Clarín that the intrusion was detected at approximately 6:00 AM on Tuesday, August 1st, and an investigation was immediately launched to determine the origin of the attack. In response to the incident, PAMI took its website offline as a containment measure. The entity issued a public communication stating that its systems had experienced a cyberattack that temporarily affected services but assured the public that the attack had been mitigated and that all information on its servers was safeguarded and protected. This official statement, however, did not explicitly mention the word "ransomware," leaving that specific confirmation to come from official sources speaking to the press.

The immediate impact of the ransomware attack disrupted several critical services provided by PAMI. A primary concern was the effect on the prescription system. The organization clarified that any prescriptions written prior to the attack could be dispensed normally at pharmacies within the PAMI network. However, any new prescriptions required on the day of the attack, Wednesday, August 2nd, could not be issued until the service was fully restored. Patients needing new medications were instructed that these prescriptions would have to be emitted and sent to them once the system became operational again. Furthermore, the administrative process for healthcare providers was interrupted. The presentation of invoices and transmission of data that were due on Wednesday were officially prorogued. Providers were told they would be able to submit this paperwork opportunely once the system was reestablished, indicating a planned grace period to accommodate the disruption caused by the cyber incident.

A separate but coincidental issue involving fraudulent prescriptions emerged in public discourse around the same time, which PAMI officials were quick to clarify was unrelated to the ransomware attack. On the day preceding the cyberattack, PAMI had detected and acted upon a separate incident involving the unauthorized sale of digitally signed PAMI prescriptions. These prescriptions were being offered for sale through groups on messaging platforms like WhatsApp and Telegram, often linked to the commercial sale of narcotics. PAMI sources explained that this fraudulent activity was not a result of a system-wide hack but was instead attributed to the compromise of a physician's credentials, likely obtained through phishing or a poor security practice by the professional. Upon discovery, PAMI utilized its existing systems and audit protocols to detect the activity and promptly filed a report with the UFI-PAMI (Unidad Fiscal de Investigaciones - PAMI), leading to its rapid deactivation. The timing of this separate credential theft incident and the subsequent ransomware attack led to public confusion and association between the two events, but officials stressed they were distinct and unrelated issues.

The incident attracted significant political attention, highlighting concerns over the security of sensitive healthcare data. Later on the day of the attack, National Deputy Graciela Ocaña, a former Minister of Health, presented a resolution project to the Chamber of Deputies. This project called for the urgent summoning of PAMI's director, Luana Volnovich, to provide explanations regarding the state of the organization's information systems in the wake of the ransomware attack. Deputy Ocaña specifically demanded that Volnovich indicate what information was potentially at risk due to the breach. Furthermore, the deputy's request also sought to clarify the separate issue of fraudulent prescription sales, asking if PAMI had knowledge of the existence of WhatsApp and/or Telegram groups through which officially digitally signed PAMI prescriptions and social work membership credentials were being offered for access to various drugs. This political move underscored the seriousness with which the incident was viewed and the demand for accountability and transparency.

The PAMI ransomware attack occurred within a broader and alarming context of escalating cyber threats targeting the healthcare sector globally. According to data published by Check Point's threat intelligence laboratory, the healthcare sector is the second most attacked industry, trailing only behind education and research. The data indicated an average of 1,744 cyberattacks per week targeted at healthcare organizations, representing a 30 percent increase compared to the previous year. This trend reflects the heightened vulnerability of health-related institutions, which are attractive targets for cybercriminals due to the critical nature of their services and the vast amounts of sensitive personal and medical data they hold. The professionalization of cybercriminal groups specializing in ransomware has been a defining feature of the threat landscape in recent years. These groups have adopted sophisticated tactics, not only encrypting data but also exfiltrating it before locking the systems.

This practice of data theft introduces a secondary layer of extortion. The groups threaten to publish the stolen sensitive information on the dark web if the primary ransom for decryption is not paid. This double-extortion model increases pressure on victims to comply with demands, as the potential exposure of confidential data carries significant legal, reputational, and privacy consequences. The article notes that this is what happened to other Argentine entities in the recent past, such as the healthcare provider OSDE the previous year and the Comisión Nacional de Valores (National Securities Commission) just a few months prior. In those cases, when the victims did not pay the demanded ransoms, the cybercriminals followed through on their threats and published the stolen data. As such, it was noted that developments in the case were likely to emerge in the following days, as ransomware groups often update their dedicated leak sites to expose victims who refuse to pay. The article concluded by stating that no attribution for the attack on PAMI had been made public at the time of reporting, meaning the specific threat actor group responsible remained unidentified.