Cyber Incident Victim: Columbus Regional Healthcare System
Date:
May 2023
Location:
United States of America
Summary
Columbus Regional Healthcare System experienced a ransomware attack by the Daixin group, which encrypted its network and exfiltrated data after deleting backups. The group initially demanded a $2 million ransom, which was not paid, and later offered to delete the data for a reduced amount before planning to leak over 250,000 files. The compromised files reportedly contained sensitive information including patient tax forms, employee records, and billing and accounting data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 18, 2023, the Daixin ransomware gang executed a cyberattack against Columbus Regional Healthcare System (CRHS), a healthcare provider based in Whiteville, North Carolina. The attackers successfully encrypted the CRHS network. Prior to encryption, the group exfiltrated an unknown amount of data from the system. The attackers also deleted backups stored on the network, a action intended to inhibit the organization's recovery efforts and increase leverage in subsequent negotiations. The incident was not initially publicly disclosed by the healthcare system itself. Instead, the first reports of a potential breach began to surface on June 9, 2023, when the Daixin group publicly claimed responsibility for the attack.
Following the encryption of its systems, Columbus Regional Healthcare System engaged with the threat actors. Initial communications indicated that CRHS was interested in negotiating the ransom demand. The hackers' initial financial demand was set at $2 million. The healthcare system communicated to the attackers that it was unable to meet this demanded amount, which led to a breakdown in negotiations. Subsequently, the Daixin group reinitiated contact with a significantly reduced counter-offer, indicating a willingness to accept a payment of $1 in exchange for deleting the stolen data. According to a spokesperson for the ransomware gang, Columbus Regional Healthcare System did not respond to this altered demand.
As a result of the failed negotiations, the Daixin group announced its intention to publicly leak the stolen data. The group planned to release more than 250,000 files containing confidential information. A sample of the compromised data was shared with an independent cybersecurity news outlet, databreaches.net. This sample revealed the nature of the exfiltrated information, which included a substantial quantity of sensitive documents. The files comprised internal tax forms, extensive employee records, and detailed billing and accounting records. The total number of individuals potentially affected by this data exposure was not immediately quantifiable from the initial reports.
The primary consequence of the attack was the significant operational disruption caused by the encryption of the network and the deletion of backups. A secondary and critically serious consequence was the threat of widespread disclosure of highly sensitive personal and financial information. The exposure of tax forms, employee records, and billing data created a substantial risk of identity theft, financial fraud, and other forms of misuse for the affected individuals. For the organization, the incident posed a direct threat to its operational continuity, financial stability, and reputation.
Columbus Regional Healthcare System did not publicly confirm or acknowledge the ransomware attack or the subsequent data breach in the immediate aftermath of the reports. The organization had not, at the time of the reporting, provided formal notice of the incident to its patients or employees. The public disclosure of the event was driven entirely by the claims of the cybercriminal group and subsequent reporting by third-party cybersecurity news sources. The expected response action from CRHS, should the hackers' claims be validated by an internal investigation, was to conduct a comprehensive review of the incident. This investigation would be necessary to determine the precise scope of the data leak, identify the specific types of information involved, and ascertain which individuals had their data compromised.
Upon the conclusion of this investigation, the organization would be obligated to send out data breach notification letters to all individuals whose protected information was involved in the security incident. These letters would serve to inform affected parties of the breach and the potential risks to their personal data. The healthcare system operates ten facilities in Leland and Whiteville, North Carolina, including a 154-bed hospital and several specialized clinics and imaging centers. With over 815 employees and approximately $77 million in annual revenue, the impact of the attack had the potential to affect a considerable number of patients and staff across its service area. The full extent of the operational impact and the timeline for restoration of systems remained undisclosed by the organization at the time of the reporting.