Cyber Incident Victim: Centre Hospitalier Universitaire de Rennes
Date:
Jun 2023
Location:
France
Summary
The Centre Hospitalier Universitaire (CHU) de Rennes was targeted in a cyberattack that led to the exfiltration of patient data. The hospital's internal systems were isolated from the internet to contain the incident, which caused the unavailability of its website, intranet, and email services. Medical activities and patient care continued normally, with appointments managed by phone. An investigation was launched with national cybersecurity authorities to determine the scope and type of data compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the evening of Wednesday, June 21, 2023, the first signs of a cyberattack were observed by staff at the Centre Hospitalier Universitaire (CHU) de Rennes. Around 6:00 PM, the hospital's intranet and email messaging systems became unavailable, signaling a disruption to core internal communications. The alert was formally raised later that evening, and by approximately 9:20 PM, a message was sent to the hospital's employees confirming that a cyberattack was underway. In immediate response, the hospital's crisis unit was activated. As a protective measure to limit the attack's propagation, the CHU completely disconnected its entire information system from the internet. This decisive action was taken to isolate the internal network. Despite this widespread disconnection from external networks, the hospital's medical applications remained operational internally, and a primary focus was placed on ensuring clinical activities could continue without interruption.
The hospital's public communications, issued on June 21st and into the following morning, confirmed that patient care was not halted. The emergency department reception, the SAMU-Centre 15 emergency call service, and all medical activities and physical appointments were maintained and functioned normally. However, the disconnection of systems had secondary impacts on administrative and patient-facing services. The CHU's public website was inaccessible on the morning of Thursday, June 22nd. Furthermore, the ability to schedule new appointments was severely impacted; until further notice, taking appointments was only possible via telephone, as the online systems were offline.
Investigations, conducted in conjunction with the National Agency for the Security of Information Systems (ANSSI) and CERT-Santé, the computer emergency response team for the health sector, confirmed that the cyberattack had resulted in a data exfiltration incident. The hospital's initial analysis focused on qualifying the quantity and type of data that had been stolen. While the full scope and precise nature of the compromised data were still under assessment immediately following the attack, the confirmed exfiltration triggered mandatory regulatory actions. The CHU de Rennes filed an official complaint with the police commissioner (commissariat) of Rennes and performed a declaration to the CNIL, France's data protection authority. The hospital also committed to taking the necessary measures to inform the individuals concerned by the data breach once the analysis was complete.
The attack's progression was notably halted during its exfiltration phase, according to analysis of the event timeline. The detection of malicious activity and the subsequent rapid isolation of the system prevented the attack from reaching its likely final objective. The nature of the incident, characterized by data theft without any reported encryption of systems, suggests one of two scenarios: either the attackers were solely focused on data extortion and did not deploy ransomware encryption payloads, or the hospital's defensive actions successfully prevented the triggering of such encryption. This sequence of events—detection followed by isolation before full execution—is comparable to an earlier incident at the CHRU of Brest, where similar actions cut the attackers off before they could complete their mission, allowing business applications to remain functional while forensic investigations on active machines, including searches for traces in volatile memory, were conducted.
The broader context of the healthcare sector in France, as detailed in reports from CERT-Santé, indicates that while the number of successful ransomware attacks with encryption has decreased, system compromises are increasingly common. The year 2022 saw 113 declared incidents of information system compromises, a rise from 98 in 2021, with a significant portion involving the theft of credentials for email and remote access accounts. The first five months of 2023 saw 47 such compromise incidents reported to CERT-Santé, compared to 11 ransomware attacks in the same period. This incident at CHU de Rennes exemplifies this trend of attackers gaining access and exfiltrating data, potentially for extortion purposes, without necessarily proceeding to deploy disruptive encryption across the network. The hospital's response effectively managed the immediate operational impact, safeguarding patient care while initiating the lengthy process of investigating the data breach and mitigating its consequences.