Ransomware Attack Hits Hanover Hill Health Care Center
Incident Date:
July 27, 2024
Overview
Title
Ransomware Attack Hits Hanover Hill Health Care Center
Victim
Hanover Hill Health Care Center
Attacker
Black Suit
Location
First Reported
July 27, 2024
Ransomware Attack on Hanover Hill Health Care Center by BlackSuit Group
Overview of Hanover Hill Health Care Center
Hanover Hill Health Care Center, located in Manchester, New Hampshire, is a comprehensive skilled nursing and rehabilitation facility. Established in 1970, the center operates a 124-bed residence offering sub-acute rehabilitation, nursing care, intermediate long-term care, and a specialized memory care unit. The facility is known for its high standard of care, certified by Medicare and Medicaid, and accredited by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO). Hanover Hill employs between 51 to 200 staff members and generates an estimated annual revenue between $5 million and $25 million.
Details of the Ransomware Attack
On July 31, Hanover Hill Health Care Center reported a ransomware attack by the BlackSuit group. The attack, discovered on July 16, compromised sensitive personal information stored on both the onsite server and its backup systems. The breached data includes names, Social Security numbers, dates of birth, addresses, and medical information related to Medicaid and Medicare applications. Daily resident care records stored on a cloud-based platform remained unaffected.
Facility administrator Lori McIntire confirmed that local, state, and federal authorities were notified, and legal and cybersecurity experts were consulted to mitigate the impact. The extent of the attack and whether a ransom was paid have not been disclosed. The facility advises affected individuals to enroll in identity theft monitoring services.
About BlackSuit Ransomware Group
BlackSuit is a new ransomware family that emerged in 2023, closely related to the notorious Royal ransomware group. It targets both Windows and Linux systems, including VMware ESXi servers. BlackSuit appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The note includes a reference to a Tor chat site for victim communication.
Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit may be a new variant developed by the same authors, a copycat, or an affiliate of the Royal ransomware gang. The high degree of similarity in code and functionality indicates a strong connection between the two ransomware families.
Potential Vulnerabilities and Penetration
The ransomware infiltrated both the onsite server and its backup systems at Hanover Hill, indicating potential vulnerabilities in their data security infrastructure. The attack highlights the importance of robust cybersecurity measures, especially for healthcare facilities that handle sensitive personal and medical information. The exact method of penetration remains unclear, but it underscores the need for continuous monitoring and updating of security protocols to defend against sophisticated ransomware attacks.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.