Cyber Incident Victim: Chu Brest
Date:
Jun 2023
Location:
France
Summary
A ransomware attack targeted the Centre Hospitalier Le Jeune, a facility affiliated with the Brest University Hospital. The hospital's information system was disconnected from the internet as a protective measure, rendering email and fax inaccessible. While patient and resident care was unaffected and no data theft was identified, staff and families were advised to contact the hospital by phone or postal mail. A complaint was filed, and the institution did not pay the ransom demand.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 30, 2023, the Centre Hospitalier de Saint-Renan, which is part of the Brest University Hospital Center (CHU de Brest), was the target of a significant cybersecurity incident. The attack was identified on that date, a Friday, and was subsequently classified as a ransomware attack. This type of malicious software functions by encrypting an organization's entire dataset and then demanding a ransom payment in exchange for the decryption key needed to restore access. The specific ransomware variant used and the precise initial attack vector were not disclosed in the available information. Following the discovery of the incident, the hospital's management took immediate action by filing an official complaint with the relevant authorities, initiating a law enforcement investigation into the criminal act.
The leadership of the CHU de Brest publicly stated that they did not acquiesce to the financial demands of the attackers. This decision was described as being in direct accordance with established national directives and guidelines for responding to such extortion attempts. The hospital's communication service emphasized this non-compliance as a matter of policy. While the existence of a ransom demand was confirmed, the specific monetary amount or other conditions requested by the threat actors were not revealed to the public.
In response to the attack, a primary containment measure was enacted to prevent further spread or potential data exfiltration. As a protective action, the entire information system of the Centre Hospitalier de Saint-Renan was deliberately disconnected from all internet access. This isolation of the network effectively severed multiple critical communication channels. Internal and external email systems became completely inaccessible, and fax machines connected to the compromised network were also rendered inoperable. This loss of standard communication methods represented a significant operational disruption to the hospital's daily administrative functions.
The Centre Hospitalier de Saint-Renan itself is a multi-facility institution comprising both hospital wards and long-term care residences. Its hospital sector contains a total of 52 beds dedicated to specific medical services, including palliative care, follow-up and rehabilitation care, and addiction treatment. Furthermore, the institution operates two separate retirement homes with a combined capacity of 174 residents. The incident directly impacted the digital systems supporting these entire operations.
Despite the severe disruption to its information technology infrastructure, the hospital administration confirmed that the direct care and treatment of patients and residents continued without being impacted. Clinical operations and medical services were maintained through alternative, presumably manual, processes. The institution also conducted an initial assessment of the data breach aspect of the incident. According to their public statements, no evidence was found to suggest that any patient, resident, or employee data had been stolen or exfiltrated by the attackers during the event. The primary impact was therefore confined to the encryption of data and the resulting loss of access to digital systems and files.
To manage the communication challenges created by the internet disconnection, the hospital implemented a contingency plan relying on older technologies. The professional medical staff working at the facility and the families of individuals receiving care were formally instructed to cease attempts to contact the hospital via email or fax. Instead, they were explicitly directed to use traditional telephone calls or physical postal mail as the only viable methods for communication until further notice. This shift to analog systems was a necessary step to ensure that coordination of care and updates to families could continue while the digital systems remained offline and inoperable due to the ransomware encryption. The duration of the disruption and the timeline for a full restoration to normal operations were not detailed in the immediate aftermath of the attack.