The Ransom Hub ransomware group continues to target the healthcare sector, with its latest victim being Planned Parenthood, a reproductive healthcare provider based in New York. The group added Planned Parenthood to its data leak site, claiming responsibility for stealing 93 GB of sensitive information. CEO Martha Fuller of Planned Parenthood of Montana reported the discovery of a cyberattack on August 28, 2024. The company took quick action to halt unauthorized access by taking certain network parts offline to contain the breach. Work is being done to re-establish affected systems, but it is still not confirmed if patient data was compromised.
Cyberattacks on healthcare providers always pose significant risks, but breaches involving reproductive and sexual health services carry additional dangers. The sensitivity of the data held by these providers increases the potential harm to affected individuals. Besides the typical risks of identity theft and fraud, cybercriminals may resort to extortion, and leaked data could have legal consequences, especially for patients seeking or having undergone abortion procedures.
RansomHub added Planned Parenthood to its dark web data leak site on September 4, 2024, and published screenshots of administrative, financial, and legal docs as evidence of the attack. Still, no patient data has been uploaded yet to the data leak site. Planned Parenthood was given 7 days to decide to stop publishing the stolen information by paying the ransom. This is not Planned Parenthood’s first experience of a ransomware attack. In 2021, the Los Angeles Office fell victim to an attack involving the protected health information (PHI) of 400,000 people, and its Metropolitan Washington branch suffered a hacking incident in 2020. With the recurrence of attacks resulting in data breaches, it is recommended for Planned Parenthood to re-assess its HIPAA compliance plan.
Based on a joint cybersecurity advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Ransom Hub, first identified in February 2024, operates as a ransomware-as-a-service group and has been linked to over 210 attacks. The group actively recruits affiliates from defunct groups such as LockBit, and ALPHV/BlackCat. Their attacks have increased in occurrence, with other notable healthcare patients such as Rite Aid, and the Florida Department of Health. They also tried to extort Change Healthcare after getting data from an ex-BlackCat affiliate engaged in a prior attack. In the first half of 2024, Searchlight Cyber reports that Ransom Hub was ranked the third most active ransomware group.