Cyber Incident Victim: OakBend Medical Center
Date:
Sep 2022
Location:
United States of America
Summary
OakBend Medical Center experienced a ransomware attack claimed by the Daixin Team, prompting immediate system lockdowns and law enforcement engagement. The attackers exfiltrated patient and employee data, threatening public release, while also encrypting backups, potentially hindering recovery efforts. Operational disruptions persisted, affecting communications and requiring alternative contact methods, though patient safety reportedly remained unaffected throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 1, 2022, OakBend Medical Center, a Texas-based nonprofit hospital system with 274 beds, over 50 locations, and approximately 1,200 employees, experienced a ransomware attack. The IT department detected the incident shortly before the Labor Day holiday weekend, prompting immediate containment measures including taking all systems offline and activating lockdown protocols. The organization engaged law enforcement agencies, specifically notifying the FBI, CYD (Cybersecurity and Infrastructure Security Agency), and the Ft. Bend County Government Cyberteam to investigate. Recovery efforts commenced after third-party cybersecurity experts from Dell, Microsoft, and Malware Protects, working alongside internal IT staff, completed initial assessments and authorized system rebuilding. Operational disruptions persisted through at least September 9, with phone systems and email communications remaining non-functional, necessitating the publication of alternative contact numbers for patient access.
The Daixin Team ransomware group claimed responsibility for the attack, contacting DataBreaches.net on September 9 with evidence of data exfiltration. Attackers provided a file directory listing showing 258 folders containing 6,051 files, asserting they had stolen approximately 3.5 gigabytes of data including 1.2 million records of patient and employee information. Daixin representatives stated they had encrypted the medical center's backup systems, speculating that inadequate backups explained OakBend's prolonged recovery timeline. The group threatened to publicly release the stolen data the following week, creating potential confidentiality risks despite OakBend's public assurance that patient safety was never compromised during the incident. Hospital operations continued throughout the recovery phase, which involved reconstructing critical IT infrastructure while maintaining emergency and inpatient services across their network that annually handles over 8,500 hospitalizations and 40,000 emergency visits.