Cyber Incident Victim: Gruppo MultiMedica

On the night between Friday, April 21st, and Saturday, April 22nd, 2023, the Gruppo MultiMedica healthcare organization suffered an initial cyber attack against its information technology systems. This incident marked the beginning of a significant disruption to the group's clinical and operational activities. The organization responded to this first attack by promptly establishing a task force. This group was composed of a combination of internal professionals and external experts, assembled to manage the crisis. The primary objective of this task force was to work on restoring systems and, most critically, to provide continuity for the facility's clinical-care activities in the face of the ongoing IT outage. While engaged in this response effort, Gruppo MultiMedica was victimized by a second cyber attack. The precise timing of this subsequent attack relative to the first was not specified, but it occurred after the initial response task force had already been mobilized and was actively working.

As a direct consequence of these two attacks, Gruppo MultiMedica was forced to suspend a wide range of its medical services. The organization issued a public communication to inform patients and other interested parties of the severe impact on its operations. All outpatient activities were suspended. Furthermore, all emergency room operations were halted, creating a significant gap in urgent care availability. The service for the collection of medical reports was also suspended, preventing patients from accessing their diagnostic results and other important medical documents. This widespread suspension affected any planned appointments, tests, or consultations that were not part of the very limited set of services that remained operational.

Despite the severe limitations imposed by the attacks, Gruppo MultiMedica was able to maintain a core set of critical, life-sustaining medical services. The activities that were guaranteed to continue included obstetrics, dialysis treatments, rehabilitation services, chemotherapy sessions, nuclear medicine procedures, and home care (ADI - Assistenza Domiciliare Integrata). Hospitalization activities for patients already admitted were also maintained. This prioritization ensured that the most vulnerable patients continued to receive essential care. To manage inpatient capacity, the company stated it would directly contact patients who were already known to the system and who could be hospitalized, implying a manual, case-by-case process to determine bed availability and patient needs without the aid of their normal IT systems.

In response to the incident, Gruppo MultiMedica initiated collaboration with law enforcement, specifically the Postal Police. This engagement indicates that the incident was treated as a criminal matter and that an official investigation was underway. The organization was transparent about the limitations of its knowledge regarding a recovery timeline. In its public statements, it explicitly stated it was not able to establish when all operations would be able to return to normal, underscoring the severity of the damage to its IT infrastructure and the complexity of the recovery process. The company committed to providing further operational updates as the situation evolved, acknowledging the need to keep patients and the public informed amidst the ongoing uncertainty. The dual-attack nature of the incident suggests a targeted and aggressive campaign that successfully crippled a major healthcare provider's infrastructure, leading to a prolonged period of disrupted medical services with primary care and emergency services being completely unavailable for an indeterminate duration.