Getty Images/iStockphoto
December ransomware attacks slam healthcare, public services
In December, one victim organization paid a $1.5 million ransom to restore services, while another continued to experience disruptions for more than one month following an attack.
As 2024 wrapped up, ransomware continued to be a prevalent threat for victim organizations in the education, transportation and healthcare sectors.
While the number of reported ransomware attacks in the U.S. appeared to dip in December compared with November, disruptions remained substantial. Victim organizations experienced prolonged downtimes and significant data breaches as ransomware gangs claimed to have accessed highly sensitive information such as patient records and images.
Attacks knocked services offline for weeks or months, interrupted students' education and led one victim organization to give in to ransom demand pressures. Like many of the major ransomware attacks throughout 2024, December continued to prove how enduring the threat is.
One highly disruptive attack last month occurred against PIH Health in Whittier, Calif., Dec. 1. The attack affected healthcare appointments and services at PIH Health Downey Hospital, PIH Health Good Samaritan Hospital and PIH Health Whittier Hospital, as well as urgent care centers, doctors' offices and PIH Health's home health and hospice agency. The nonprofit healthcare network serves 3 million residents in Los Angeles, according to its website.
While urgent care centers and emergency rooms remained open, patient health records, laboratory systems, pharmacy services, patient registration and internet access remained down. PIH Health began providing updates Dec. 6 and requested that patients take a current list of medications along with medication bottles to appointments. PIH Health announced some phone services were finally restored Dec. 16, though lines remained down for PIH Health Physicians offices.
PIH Health published the latest update Tuesday. More than one month after the attack, the healthcare network reiterated that there is "no timeline for full system restoration."
Not only did the attack affect patient care and services, but it also may have led to a significant data breach.
On Dec. 14, the Los Angeles Daily News reported that the attackers claimed to have stolen 17 million patient records, as well as lists of confidential diagnoses, test results, patient photos and scans. PIH Health has not addressed data breach report, and no ransomware group has claimed responsibility for the attack.
Ransomware affected RIBridges, the system Rhode Island uses to manage several important state health services, at the beginning of December. State officials shared an attack timeline, updates and resources for affected citizens in an alert on the state's official website.
The alert revealed that consulting firm Deloitte, which maintains the RIBridges system, notified the state of a "potential cyberattack" Dec. 5. Five days later, Deloitte determined threat actors breached the state administration system.
"On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat," the state wrote in the alert.
In response to the data breach, Rhode Island Governor Daniel McKee urged individuals to take steps to protect their data. McKee warned that the breach could affect individuals who applied for state health coverage or health and human services programs including Medicaid, the Supplemental Nutrition Assistance Program, the Child Care Assistance Program and the General Public Assistance Program.
On Dec. 23, McKee announced that HealthSource RI would supplement health coverage while RIBridges remained "temporarily unavailable." During a briefing with McKee and Lindsay Lang, director of HealthSource RI, the governor said the breach affected about 650,000 individuals.
However, the incident escalated on Dec. 30, when the state learned threat actors leaked the stolen data. The Brain Cipher ransomware group claimed responsibility for the attack.
"Unfortunately, Deloitte has informed us that the cybercriminal released at least some RIBridges files to a site on the dark web," the alert said. "This is a scenario that the State has been preparing for, which is why earlier this month we launched a statewide outreach strategy to encourage potentially impacted Rhode Islanders to protect their personal information. Right now, IT teams are working diligently to analyze the released files. This is a complex process and we do not yet know the scope of the data that is included in those files, but as we've been saying for several weeks, we should assume that data contained in the RIBridges system has been compromised."
As of Dec. 31, RIBridges remained down and a call center to assist individuals with HealthSource RI was set up through Jan. 5.
Attacks on schools and public services
While the timeline is unclear, Marietta City Schools in Georgia experienced network disruptions in early December. WSB-TV in Atlanta reported the attack Dec. 4, with a statement from school Superintendent Grant Rivera. Riveria told the media outlet that the district's IT team discovered unauthorized access on the schools' systems but were able to restore systems without causing operation disruptions.
Subsequently, Marietta began an investigation and implemented additional security protocols. The RansomHub ransomware gang claimed responsibility for the attack. Antimalware vendor ESET published a report last month that showed RansomHub was the most active ransomware group during the second half of 2024 and anticipated that trend would continue into 2025.
On Dec. 6, People Newspapers reported that Highland Park Independent School District (HPISD) in Texas cited ransomware as the cause of a weekslong network disruption. The news outlet included an email that Mike Rockwood, HPISD superintendent, sent to district families and school staff Dec. 6. In the email, Rockwood said the school initiated an investigation and was working to restore systems, including phone access. No ransomware gang has claimed responsibility for the attack.
Officials in Wood County, Ohio, paid a $1.5 million ransom demand following an attack on the municipal government that was detected Dec. 9. While the county did not release an official statement, it did provide statements to media outlets with additional details. On Dec. 10, The Blade, a Toledo-based newspaper, reported that an attack one day prior affected operations at the sheriff's office, the county's jail and common pleas court. More alarmingly, it disrupted access to the county's crime reporting system and computer-aided dispatch system that manages emergency response calls and services.
On Dec. 23, ABC13 reported that commissioners confirmed Wood County paid a $1.5 million ransom, began restoration efforts and implemented additional security measures as a result of the disruptive attack. ABC13 added that the county used its emergency reserve funds to pay off the attackers.
Also on Dec. 23, Pittsburgh Regional Transit (PRT) disclosed it suffered a ransomware attack that was initially detected on Dec. 19. Pennsylvania's public transportation system includes more than 700 buses and 80 light rail vehicles, providing "more than 60 million rides a year," according to its website. PRT said the attack temporarily disrupted rail services and affected its customer service center, which was unable to accept or process Senior Citizen and Kids ConnectCards for payment. However, transit services remained operational. PRT added that an investigation to determine whether rider information was compromised is ongoing.
"PRT will continue to provide updates as appropriate. Due to the sensitive nature of the situation, specific details cannot be shared at this time," PRT wrote in the news release.
On Tuesday, PRT issued a cyber incident notice warning individuals that stolen data included "Social Security numbers and driver’s license numbers related to some current or former PRT employees and PRT job applicants." As a result of the ransomware attack, PRT said it also implemented an enterprise-wide password reset and additional security protocols including enhanced network monitoring and bolstering access restrictions.
Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.
