Cyber Incident Victim: Crozer-Keystone Health System
Date:
Jun 2020
Location:
United States of America
Summary
Crozer-Keystone Health System suffered a ransomware attack by the NetWalker gang, which subsequently auctioned stolen data—primarily financial information—on the darknet after the organization declined to pay the Bitcoin ransom. The attackers threatened to leak the data if it remained unsold, though the health system did not confirm whether patient records were compromised. This incident occurred amid the COVID-19 pandemic, contrasting with other ransomware groups that had pledged to avoid targeting healthcare providers during the crisis. The attack impacted a network of four hospitals serving parts of Pennsylvania, Delaware, and New Jersey.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2020, the NetWalker ransomware gang attacked Crozer-Keystone Health System, a four-hospital network serving Delaware County, Pennsylvania, northern Delaware, and parts of western New Jersey. The attackers encrypted systems and stole data, subsequently demanding a Bitcoin ransom. When the healthcare system did not pay, NetWalker initiated an auction of the stolen data on its darknet site by June 19, 2020. The auction listing included dozens of folders primarily containing financial information, with no evidence of compromised patient medical records. The gang threatened to publicly leak the data if it remained unsold within six days. Crozer-Keystone acknowledged the incident through a statement to DataBreaches.net but declined to disclose the ransom amount or confirm whether patient data was affected. The health system provided no further operational details about the attack’s scope, detection methods, or containment measures.
The incident occurred during the COVID-19 pandemic, a period when multiple ransomware groups had publicly pledged to avoid targeting healthcare providers. NetWalker violated this informal moratorium, drawing condemnation from cybersecurity experts. Brett Callow, a threat analyst at Emsisoft, described attacking hospital systems during the pandemic as "despicable and unconscionable," noting most other groups had honored their non-aggression pledges. The attack strained healthcare services already overwhelmed by pandemic demands, though Crozer-Keystone did not specify operational disruptions. Emsisoft’s 2019 research contextualized the threat, revealing ransomware had impacted at least 764 U.S. healthcare providers in the preceding year. No subsequent data leaks or financial impacts were confirmed in available reports following the auction deadline.