Cyber Incident Victim: San Raffaele Hospital
Date:
May 2020
Location:
Italy
Summary
San Raffaele Hospital experienced a cyberattack involving unauthorized access and theft of sensitive data, including patient and employee information such as names, tax codes, email accounts, and plaintext credentials. The breach went undetected for two days until a Twitter activist disclosed it publicly, prompting the hospital to downplay the incident by claiming the compromised data originated from an obsolete training system—a response that escalated the situation as the activist subsequently leaked patient records. The hospital failed to notify authorities within mandatory reporting timelines under GDPR, with exposed vulnerabilities including unsecured credential storage and delayed breach acknowledgment despite public evidence of data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 20, 2020, San Raffaele Hospital in Milan, Italy, experienced a cyber incident involving unauthorized access to its systems and the theft of sensitive data. The breach remained undetected for approximately two days until an anonymous Twitter user operating under the handle "LulzSecITA" publicly disclosed the event on social media. The user directly questioned whether hospital management had notified Italy's data protection authorities as required by law, but received no official response. Following this silence, LulzSecITA escalated by publishing screenshots of stolen data samples, which subsequently attracted attention from local media outlets. This compelled hospital administration to issue a statement acknowledging an "attempted intrusion" that allegedly occurred months prior to the disclosure. The hospital asserted no sensitive data had been compromised, characterizing the exposed information as obsolete credentials from an abandoned online training application containing outdated user accounts and passwords.
The published data samples revealed exposure of names, tax identification codes, email addresses, usernames, and passwords stored in plaintext format. LulzSecITA responded to the hospital's minimization of the incident by releasing patient data to demonstrate the breach involved current, sensitive information. The activist threatened further data disclosures unless the hospital formally admitted the breach's severity and notified affected individuals. Analysis of the breach indicated failure to implement basic security practices, including improper credential storage methods. San Raffaele Hospital did not notify regulatory authorities within the 72-hour window mandated by GDPR despite evidence of personal data exposure. The hospital eventually confirmed contact with relevant authorities for clarification purposes, but provided no details regarding containment measures, forensic investigations, or system remediation efforts following the initial intrusion or subsequent data leaks.