Cyber Incident Victim: Gesundheit Nord
Date:
May 2023
Location:
Germany
Summary
The Bremen hospital group Gesundheit Nord suffered a cyber attack after threat actors initially compromised an external IT service provider's device to steal access credentials. Patient data was exfiltrated in considerable volume from the Bremen-Ost hospital, creating risks of discrimination, reputational harm, or financial damage. While patient safety was not endangered, internal operations were severely disrupted, forcing staff to resort to manual processes like handwritten orders until systems were gradually restored.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 9, 2023, the Bremen hospital network Gesundheit Nord (GeNo) began experiencing significant IT disruptions. The initial response was a precautionary disconnection of the entire network from the internet after unusual activity was detected. This action was confirmed by a GeNo spokesperson, who stated the internal network remained functional, allowing for internal email communication between the network's clinics. This isolation measure was taken to contain the potential threat and prevent further unauthorized access from outside the network. The immediate impact was a complete loss of external internet connectivity for staff, severely hampering digital communication with entities outside the GeNo network.
The incident forced a immediate shift to manual and analog processes. Employees could no longer use computers for external communications and had to rely solely on telephones. The GeNo website was updated with a notice informing the public that the hospitals were only reachable by phone and not via email. Internal hospital operations, including patient care, were maintained without immediate danger to patient safety. However, the lack of internet access disrupted numerous ancillary services that rely on external digital links.
Investigations commenced immediately to determine the cause and scope of the unusual activity. Initially, the spokesperson for the network stated the cause was unclear and that they could not rule out a potential hacker attack. The action of taking systems offline for IT security reasons was noted as a recent indicator of a cyber intrusion in other cases. The disruption persisted for several days as internal and external analysts worked to assess the situation within the isolated environment.
By May 10, 2023, Gesundheit Nord confirmed the event was a cyber attack. Further investigation revealed that the attack had initially occurred on the endpoint device of an external IT service provider. Through this initial compromise, the threat actors acquired access credentials that allowed them to infiltrate the GeNo systems. The investigation also confirmed that data had been exfiltrated from the servers in considerable volume. This stolen data included patient information, with data from the Bremen-Ost hospital specifically identified as being affected.
The confirmation of data exfiltration introduced a significant secondary impact: the potential for misuse of sensitive personal and medical information. The GeNo management stated that the risk fundamentally involved unbefunged third parties using the data to cause harm, including discrimination, reputational damage, or financial loss. They noted the loss of control over personal data and the breach of confidentiality for information protected by professional secrecy. The potential consequences for affected individuals were described as possibly including financial or societal disadvantages, with criminals potentially using the data for fraud schemes such as phishing.
A company spokesperson confirmed that a ransom demand had not been received at that time. It remained unclear which, if any, cybercriminal gang was behind the attack. The primary focus remained on securing the systems and understanding the full scope of the data breach. The patient safety was reiterated as never having been endangered at any point during the incident. However, a full return to normal operations had not been achieved, indicating the attack's disruptive effects were ongoing.
The recovery process was gradual. Many systems were eventually brought back online, simplifying workflows that had become arduous and inefficient. During the outage, processes had to be handled through alternative means, including handwritten requests and orders. The restoration of external email reception, laboratory communication, warehouse logistics—which had been exclusively digital—and communication with health insurance companies and banks marked significant steps toward operational normalization. The return of these critical systems alleviated some of the massive disruptions that had plagued administrative and logistical functions.
The response involved notifying the appropriate authorities. GeNo engaged the Federal Office for Information Security (BSI), the State Commissioner for Data Protection and Freedom of Information, and law enforcement agencies. The investigation into the incident continued, particularly in cooperation with criminal investigators. Internally, GeNo employees were slated to receive a formal notification about the breach. Patients were informed through the public online statement detailing the nature of the attack and the potential risks associated with the data leak. The prolonged investigation and recovery efforts underscored the severity of the attack and the complexity of managing its aftermath within a critical healthcare infrastructure.