Cyber Incident Victim: USL Umbria 2
Date:
Apr 2021
Location:
Italy
Summary
The healthcare facility USL Umbria 2 experienced a ransomware attack disrupting its IT systems, significantly impacting administrative and healthcare operations including infrastructure servers, laboratory services, and hospital activities. Despite the attack, emergency pandemic responses such as swab testing and vaccinations remained operational, while IT teams restored partial functionality to laboratory systems and the Emergency Department by the end of the incident day, though some services faced slowdowns and temporary inaccessibility during recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 11, 2021, at approximately 5:30 AM, the USL Umbria 2 healthcare facility in Terni, Italy, detected malfunctions in its corporate IT systems. Initial investigations revealed the presence of viruses affecting the company’s network, servers, and personal computers critical to digital operations. By April 12, analysis conducted with the assistance of the Postal Police confirmed a ransomware attack, which significantly disrupted administrative and healthcare services. The attack compromised infrastructure servers, analysis laboratories, and select hospital operations, though core medical assistance functions continued with reduced efficiency. Laboratory information systems, including the platform for online report collection, became inaccessible, forcing patients to defer non-urgent services. Emergency pandemic-related activities—such as COVID-19 swab testing and vaccination campaigns—remained operational through manual workarounds. The disruption extended to radiology services and administrative workflows, creating delays across outpatient and inpatient care.
USL Umbria 2 initiated containment measures immediately after detecting the incident, isolating affected systems to prevent further spread. By the evening of April 11, technicians restored one critical server, reinstating functionality for laboratory operations and the Emergency Department. The IT and telecommunications teams prioritized full system recovery while collaborating with law enforcement to investigate the attack’s origin. The organization issued public advisories on April 11 and 12, instructing patients to seek non-urgent care only after consulting physicians and apologizing for service interruptions. Despite partial restoration, residual slowdowns persisted in clinical and administrative processes, with no confirmed timeline for complete resolution. The facility maintained transparency through its website, committing to updates as recovery progressed, while emphasizing uninterrupted emergency and pandemic response operations.