(UPDATED) Cyber attack on the San Raffaele hospital in Milan
Marco A. De Felice (@amvinfe on Twitter) reports:
In the midst of the COVID19 emergency, the San Raffaele hospital in Milan was the victim of a computer attack. Steal the personal data of patients, doctors, nurses and employees.
Names, tax codes, email accounts and passwords stolen during a cyber attack that took place between March and April. Anonymous LulzSec Italia decided to make it public yesterday on his Twitter account, only after making sure that the flaw in the IT systems of the Milanese hospital had been resolved.
The hospital seemed to be pretty dismissive of the claims:
“… the situation to which reference is made, reported by an unreliable source, refers to an attempted intrusion which took place months ago which did not entail access to any sensitive data. The names of many operators are public for service reasons and the information published relates to an application dedicated to online training that has been abandoned for years with equally obsolete and disused users and access passwords – and that the hospital management – is already in contact with the competent bodies to provide any useful clarification “ .
Read more on SuspectFile.com.
Update: Bill Toulas of TechNadu has added to the coverage on this incident. He seems to be having the same reaction that I am: that the hospital’s attempts to dismiss this all as unimportant has already backfired and resulted in personally identifiable patient information being dumped, with more to come. Toulas reports:
We expect the Twitter user to return with more revelations considering he/she is using the “StayTuned“ hashtag, so we are bound to learn more about what happened at the San Raffaele hospital soon. One thing that we can already comment on is the fact that the hospital has failed to follow proper security practices by storing account credentials in plaintext form on its systems. Moreover, they did not inform the authorities about any breaches within 72 hours – as the GDPR law obliged them. They also failed to respond to the allegations even after data samples started appearing online.