Cyber Incident Victim: Medhost
Date:
Dec 2017
Location:
United States of America
Summary
Attackers compromised a healthcare IT company's public website and redirected its domain to a static site containing a ransom demand, threatening to sell patient records and payment information unless paid in Bitcoin. The organization regained control of its domain, restored services, and stated no evidence indicated unauthorized access to sensitive data or internal systems, maintaining the incident was limited to DNS redirection. Despite hacker claims of possessing patient information, the company determined no protected health information was accessed and declined to report the event as a breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 19, 2017, attackers compromised MEDHOST’s public website (medhost.com), replacing its homepage with a message claiming unauthorized access to sensitive data. The hackers asserted possession of 127 domain names, patient records, and payment information, demanding a ransom of 2 bitcoin to release control of the servers and domains. The defacement was first reported by HIStalk, which published an image of the hackers’ message threatening to sell personal information unless payment was made. MEDHOST did not immediately respond to DataBreaches.net’s initial request for confirmation or clarification of the breach claims. By December 20, MEDHOST Chief Information Security Officer William Crank stated the company had regained full control of the domain and completed restoration of associated applications, though DNS propagation delays could cause intermittent access issues for up to 24 hours. Crank emphasized no evidence suggested sensitive information was compromised, characterizing the incident as limited to DNS redirection to a static site containing the attackers’ message.
MEDHOST issued a formal statement on December 21 reiterating that their domain registrar account had been compromised, leading to the redirection of public URLs, but maintained there was no indication patient information was accessed or exfiltrated. The company confirmed full restoration of domains and web-based applications, while acknowledging potential lingering intermittent access disruptions during propagation. Throughout the incident, MEDHOST asserted uninterrupted control over internal systems and committed to continuing the investigation into the root cause. DataBreaches.net attempted to verify the attackers’ claims by requesting proof of PHI access but received no response from the hackers. Based on MEDHOST’s assertions that no PHI was compromised, the company stated it would not report the incident to HHS, prompting DataBreaches.net to close the case without including it in breach statistics as of December 23.