Cyber Incident Victim: Valley Health Systems
Date:
Aug 2020
Location:
United States of America
Summary
Valley Health Systems was targeted in a ransomware attack by the REvil group, which claimed to have exfiltrated sensitive patient and employee data including medical records, prescriptions, personal identifiers, and diagnostic imaging files. The attackers threatened public release of the stolen information unless negotiations occurred, providing sample data as proof of compromise. This incident reflects broader targeting of healthcare organizations, which manage high-value data vulnerable to medical identity theft and fraud schemes. The healthcare provider had not issued an official statement regarding the breach at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 27, 2020, cybersecurity researchers from Cyble identified a data leak disclosure post by the REvil ransomware group claiming responsibility for breaching Valley Health Systems. The discovery occurred during routine monitoring of ransomware-related data leaks, with the threat actors asserting they had exfiltrated sensitive patient, client, and employee information from the healthcare provider's network. REvil operators explicitly threatened to publish the stolen data on their blog unless Valley Health Systems engaged in negotiations, accompanied by evidentiary snapshots of the compromised records. Analysis of the leaked samples revealed the theft of highly sensitive medical information, including patients' prescribed medications, full names, dates of birth, genders, unique patient identifiers, medical scan reports, and numerous Digital Imaging and Communications in Medicine (DICOM) files. The attackers' post contained direct communication to the organization, stating: "Hello, we have downloaded your private data, info about clients and employees and we are ready to publish in our blog if you don’t contact us." No official breach acknowledgment or statement from Valley Health Systems was documented in the source material at the time of reporting.
The compromised data's nature positioned affected individuals at significant risk of exploitation, given the high black-market value of medical records, which can command prices up to $1,000 per record according to industry observations. Stolen healthcare data enables multiple fraudulent activities including medical identity theft, fraudulent tax filings, insurance scams, and targeted extortion attempts against patients. The incident occurred against a backdrop of intensified cyber targeting of healthcare organizations, attributed to the critical sensitivity of their data holdings and operational pressures that may reduce cybersecurity readiness. REvil's operational pattern of exfiltrating data prior to encryption—a double-extortion tactic—was consistent with their approach in this breach, though the article did not specify whether ransomware deployment occurred alongside the data theft. Cybersecurity analysts emphasized the healthcare sector's persistent targeting by threat actors due to the irreversible privacy consequences of medical data exposure and the operational disruption risks posed to critical care providers.