Cyber Incident Victim: CHRISTUS Health
Date:
May 2022
Location:
United States of America
Summary
The healthcare organization suffered a ransomware attack by the AvosLocker group, which stole sensitive data and threatened public release unless paid. The incident disrupted critical services, impacting patient care and operations, prompting system security measures, investigation into compromised data, and collaboration with authorities and cybersecurity experts to address vulnerabilities and mitigate risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2022, the AvosLocker ransomware group publicly claimed responsibility for a cyberattack targeting CHRISTUS Health, a major healthcare system operating in the southern United States and Latin America. The threat actors asserted they had stolen sensitive data from the organization and threatened to release the information unless a ransom payment was made. AvosLocker listed CHRISTUS Health on its dark web leak site around May 1, 2022, following a common ransomware tactic to pressure victims through the threat of public data exposure. The group did not initially disclose the specific types or volume of data allegedly exfiltrated. CHRISTUS Health acknowledged awareness of the claims but did not immediately confirm whether a breach had occurred, stating its security team was actively investigating the situation. This incident followed a pattern of AvosLocker targeting healthcare organizations, including a similar attack against Kansas Heart Hospital earlier that year.
The potential compromise raised significant concerns due to the sensitive nature of healthcare data typically held by regional health systems. While CHRISTUS Health did not publicly verify the attackers’ claims, such breaches commonly involve exposure of patient health information (PHI), personally identifiable information (PII), employee records, and proprietary operational data. The organization implemented standard incident response protocols, including securing affected systems, conducting forensic analyses, and coordinating with law enforcement agencies. Operational impacts appeared limited as healthcare services continued without major disruptions. CHRISTUS Health maintained its policy against paying ransoms to cybercriminals, aligning with FBI recommendations. The incident highlighted ongoing vulnerabilities in the healthcare sector, particularly the risks posed by ransomware groups employing double extortion tactics involving both data theft and encryption. AvosLocker’s involvement underscored the group’s continued focus on critical infrastructure entities despite increased law enforcement scrutiny of ransomware operations during this period.