Cyber Incident Victim: Hpital Pierre Rouqus Les Bluets
Date:
Oct 2022
Location:
France
Summary
A French maternity hospital suffered a ransomware attack by the Vice Society group, which encrypted files and backups while exfiltrating over 150 GB of data. The attackers demanded payment for network restoration and initiated a countdown deadline but withheld immediate data leaks. Hospital operations experienced email system disruptions and suspended consultations, though most medical records remained accessible and appointments were managed via an external platform. Care continuity was maintained despite the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 9, 2022, Hôpital Pierre Rouquès – Les Bluets, a private maternity hospital in France, experienced a ransomware attack claimed by the Vice Society threat group. The attackers encrypted hospital systems and exfiltrated over 150 GB of data, as confirmed through direct communications between Vice Society and media outlets. The hospital publicly acknowledged the incident on its website, notifying visitors of operational disruptions, including non-functional email systems. Despite the encryption, hospital management stated that most medical records remained accessible to staff, allowing continued patient care. Appointment scheduling via the Doctolib platform remained operational, though certain consultations were suspended. Vice Society explicitly admitted awareness of targeting a maternity facility during email exchanges with DataBreaches, asserting they had "locked everything," including backups—a claim partially contradicted by the hospital’s reported system accessibility.
Vice Society extended a ransom offer to the hospital, promising network restoration within one day if paid and initially providing additional negotiation time before escalating threats. On October 18, the group listed the hospital on its leak site, initiating a four-day countdown timer but refraining from immediately publishing stolen data or proof-of-hack evidence. The hospital maintained critical services throughout the incident, prioritizing continuity of care while managing technical disruptions. No patient data leaks or further operational compromises were confirmed in the immediate aftermath of the attack announcement. The attackers’ public statements emphasized their intent to pressure the hospital into payment through data exposure threats, leveraging the exfiltrated 150 GB dataset as bargaining leverage. Hospital administrators did not disclose whether ransom negotiations occurred or detail specific recovery measures beyond acknowledging ongoing efforts to restore full functionality.