Cyber Incident Victim: GHT Coeur Grand Est
Date:
Apr 2022
Location:
France
Summary
A French hospital group disconnected all internet connections following a cyberattack that resulted in theft of sensitive administrative and patient data. The incident disrupted online services but did not affect patient care or operational systems. Stolen information included social security numbers, passport scans, banking details, and contact information, increasing risks of social engineering attacks. The attackers demanded a ransom and later listed the 28.7 GB dataset for sale on a dark web marketplace. The breach primarily impacted two hospitals within the network, though most facilities operate independently with separate IT infrastructures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 19, 2022, the French hospital group GHT Coeur Grand Est suffered a cyberattack impacting its establishments in Vitry-le-François and Saint-Dizier. Threat actors infiltrated the network, exfiltrating approximately 28.7 GB of sensitive administrative and patient data. The stolen information reportedly included social security numbers, passport scans, banking details, emails, and phone numbers. Upon detecting the breach, GHT immediately severed all incoming and outgoing internet connections across its nine-hospital network to contain the attack and prevent further data theft or lateral movement. This containment measure rendered online services like appointment scheduling temporarily unavailable but preserved core clinical operations, as internal software systems remained unaffected. GHT publicly confirmed the incident, emphasizing patient care continuity while warning employees and patients of heightened risks for social engineering scams via email, SMS, or phone calls due to the exposed personal data.
The attackers subsequently listed the stolen data on Industrial Spy, a dark web marketplace, with an initial ransom demand of $1,300,000. After the payment deadline expired, the data became available for purchase, though the marketplace listing lacked competitively valuable corporate documents typically associated with Industrial Spy’s offerings. Forensic analysis suggested the breach primarily affected Vitry-le-François’s infrastructure, with limited overlap detected in DNS records between Vitry-le-François and Saint-Dizier. However, critical systems like Microsoft 365 tenants remained segregated across the broader GHT network, limiting the attack’s scope. GHT maintained internet disconnection until investigators could fully remediate the initial exploitation vector, described only as a "flaw" in public statements. No ransomware deployment or system encryption was reported, with operational disruptions confined to external-facing online services during the containment period. The incident highlighted risks to regional healthcare infrastructure but demonstrated effective isolation protocols that prevented widespread clinical impact despite significant data compromise.