The Biggest Cyber Attacks on Healthcare in 2024—and What We Can Learn
Notable Healthcare Cyberattacks in 2024
1. Change Healthcare Ransomware Attack
In early 2024, Change Healthcare, a major provider of revenue cycle management and clinical information exchange solutions, suffered a ransomware attack carried out by the BlackCat ransomware group. The attackers gained initial access through a compromised vendor account, leveraging stolen credentials to infiltrate the network. Once inside, they deployed ransomware across systems, encrypting patient records, billing data, and appointment schedules.
Technical Details:
Initial Access Vector: Stolen credentials from a third-party vendor.
Payload: BlackCat ransomware variant with AES-256 encryption.
Propagation Method: Exploitation of Active Directory misconfigurations to move laterally.
Impact:
Service Disruption: The attack led to significant operational disruptions, affecting hundreds of healthcare providers relying on Change Healthcare's services.
Data Compromise: Sensitive patient information, including health records and payment data, was encrypted, raising concerns about data recovery and privacy compliance.
Financial Loss: $705 million for the year, and $6 billion in advance for assistance to healthcare providers affected by the cyberattack.
Key Vulnerabilities:
Poor third-party access management.
Misconfigured Active Directory policies.
2. Ascension Health System Cyberattack
In mid-2024, Ascension, one of the largest nonprofit health systems in the U.S., experienced a ransomware attack originating from a spear-phishing email targeting a senior IT administrator. The attackers deployed LockBit 3.0 ransomware, effectively crippling the health system's electronic health record (EHR) platform and connected systems.
Technical Details:
Initial Access Vector: Spear-phishing email with a malicious macro-enabled document.
Payload: LockBit 3.0 ransomware.
Propagation Method: Exploited unpatched vulnerabilities in VPN gateways for lateral movement.
Impact:
Operational Disruption: EHR systems were offline for 12 days, forcing hospitals to revert to paper records and divert ambulances to nearby facilities.
Financial Loss: The attack contributed to a $1.1 billion net loss during Ascension’s 2024 fiscal year.
Key Vulnerabilities:
Lack of multi-factor authentication (MFA) for privileged accounts.
Unpatched VPN gateway vulnerabilities.
3. Singing River Health System Data Breach
In January 2024, hackers targeted Singing River Health System by exploiting an outdated Citrix ADC appliance to gain unauthorized access to the network. The attackers exfiltrated approximately 252,000 patient records, including Social Security numbers, medical histories, and insurance details, which were later found for sale on the dark web.
Technical Details:
Initial Access Vector: Exploited a vulnerability in an unpatched Citrix ADC appliance (CVE-2019-19781).
Data Exfiltration: Used Cobalt Strike beacons to extract data without triggering alerts.
Impact:
Data Exposure: Personal and health information of 252,000 patients were stolen, leading to risks of identity theft and fraud.
Reputation Damage: Public trust in Singing River’s ability to safeguard data was severely impacted.
Key Vulnerabilities:
Failure to patch known vulnerabilities.
Inadequate monitoring of network traffic for anomalous activity.
4. Texas Tech University Ransomware Attack
In September 2024, the Texas Tech University Health Sciences Center (TTUHSC) and its El Paso campus experienced a ransomware attack that compromised approximately 1.4 million records related to students, staff, and patients.
Technical Details:
Initial Access Vector: While specific details about the initial intrusion have not been publicly disclosed, such attacks often begin with phishing emails or exploitation of unpatched vulnerabilities.
Payload: The ransomware variant used in this attack has not been specified.
Propagation Method: The attackers likely employed lateral movement techniques to spread across the network, encrypting data and disrupting operations.
Impact:
Data Compromise: Approximately 1.4 million records were compromised, including personal information of students, staff, and patients.
Operational Disruption: The attack caused significant disruptions to TTUHSC's services, impacting educational and healthcare operations.
Financial Loss: While the exact financial impact has not been disclosed, U.S. schools and colleges have been estimated to cost around $2.54 billion in downtime and recovery efforts between 2018 and July 2024.
Key Vulnerabilities:
Potential Lack of Employee Training: If the initial access was gained through phishing, it underscores the need for regular employee training to recognize and respond to suspicious activities.
Insufficient Patch Management: Exploitation of unpatched vulnerabilities remains a common attack vector, highlighting the importance of timely software updates and patch management.
Inadequate Network Segmentation: The ability of attackers to move laterally within the network suggests a need for improved network segmentation to contain breaches and limit access to sensitive data.
Lessons Learned in 2024
2024’s breaches revealed the same recurring patterns in healthcare cybersecurity that we’ve seen prior years:
Human Error Remains a Top Threat: Phishing and social engineering attacks accounted for the majority of breaches. Regular staff training and simulated phishing exercises are essential.
Legacy Systems are a Liability: Many attacks exploited outdated systems that were no longer receiving security updates. Upgrading or replacing legacy systems should be a priority.
Proactive Measures Pay Off: Organizations that had robust MFA, regular patch management, and network segmentation were able to mitigate or avoid significant damage.
Looking Ahead to 2025
Cyber threats will only continue to evolve. Healthcare providers must prioritize cybersecurity by:
Investing in Advanced Threat Detection: AI-powered tools can identify and stop attacks before they spread.
Enhancing Incident Response Plans: Regularly test and update your response strategies.
Partnering with Experts: Working with cybersecurity consultants ensures vulnerabilities are identified and addressed proactively.
Subscribe to our newsletter to stay informed about the latest cybersecurity trends and threats. And finally, if you have any questions or just want to chat about cybersecurity, feel free to reach out—we love answering questions and sharing what we know!