The hackers responsible for the Corbeil-Essonnes hospital attack in August made good on their threats by revealing the stolen health information, putting those affected by the fraud at risk of blackmail or extortion.
The hospital confirmed on Sunday the publication of data that “appears to be of concern to our users, our staff and our partners.”
Among the published information are “certain administrative data”, including the social security number, and “certain health data such as examination reports and in particular external files of anatomocytopathology, radiology, analysis laboratories, doctors”, continues the center. hospitable.
“The attack appears to have been limited to virtual servers and only a portion of CHSF’s storage space (around 10%),” it adds.
It was the cybersecurity blog Zataz.com, which had raised the alert, stating that a “first release (of data) was (was) orchestrated in the form of an 11.7-gigabyte compressed file.”
According to Damián Bancal, author of the blog who was able to consult the file, it contains documents as varied as medical exams, applications for universal medical coverage (CMU) and an authorization for mandatory psychiatric hospitalization.
“However, at this stage of the analysis of the elements in the possession of the investigative services, it is not possible” to easily access the data, “the Paris prosecutor’s office told AFP. “Only insiders can access the data.” Mr. Bancal confirmed to AFP.
The Paris prosecutor’s office opened an investigation and entrusted it to the gendarmes of the Center for the Fight against Digital Crime (C3N).
The risk now is that criminals will use the accessible data to mount further targeted attacks, using the personal information at their disposal to gain the trust of the victim.
– Security measures –
The attackers will look for, for example, “bosses, VIPs”, and set up scams such as “presidential fraud”, where the scammer manages to obtain a bank transfer from an institution by posing as their boss or CFO. Mr. Bancal explained.
Attackers can also use phone numbers to set up personal training accounts (CPFs) or cryptocurrency scams, email addresses to phishing, trick the user into downloading malicious files, or clicking links to extort tokens and codes. access…).
In its press release, the Corbeil-Essonnes hospital center recalled several security measures to be followed by potential stakeholders.
In case of receiving an email, SMS or telephone call requesting this or that action by the user, it is necessary to “verify that the sender is indeed legitimate and related to the matter” and “never provide confidential information (banking, passwords, etc. .).
You have to “be vigilant if the tone of the message is urgent, which pushes you to action, even more so if you did not expect this message,” the hospital also indicated.
It also recommends “verifying accounts associated” with a Social Security number and changing passwords “if in doubt.”
According to Zataz, the hackers had set an ultimatum on September 23 for the hospital to pay the ransom.
The hospital, located in Essonne, south of Paris, provides health coverage to nearly 700,000 inhabitants of the outer suburbs.
He had been the victim on August 21 of a cyberattack with a ransom demand of 10 million dollars, later reduced to one or two million dollars, according to the sources.
Public establishments never pay ransoms, the law prohibits them from doing so. Contacted by AFP, the Health Ministry was unable to comment on these developments on Sunday.