Ransomware attacks on medical entities continue: a laboratory in Italy and a health care service in New Mexico among latest victims

Ransomware attacks on medical entities continue. Today, we report on one attack in Italy and one in the U.S.  And sadly, by the end of the day, there may well be more.


Marco De Felice (aka @amvinfe) reports that RagnarOK threat actors have attacked the Valdès Analysis Laboratory in Cagliari. The attack occurred on February 6. De Felice reports:

Among the stolen data, various authorizations of online reports, laboratory documents and regulatory references to Covid-19, quality checks VEQ 2020 of the Careggi University Hospital of Florence.

The threat actors posted a screenshot of a directory of  files as proof of claim. They also posted links to what would appear to be four archives of files to download. At the time DataBreaches.net checked, however, all download links returned 404, which confirms what De Felice found and reported.

Because there was no notice on the laboratory’s web site, De Felice:

 wrote an e-mail to the administrative office and to the “Data Controller” of the Sardinian laboratory to understand if the company had already informed the Privacy Guarantor, as required by the European regulation on data protection ( GDPR). It also remains to be understood whether the Valdès Analysis Laboratory has already sent notifications to its customers, given that there are no warnings relating to the data breach on the company website.

Read more on SuspectFile.

United States

While that is going on in Italy with RagnarOK, Conti threat acctors have attacked another medical entity in the U.S.:  Rehoboth Mckinley Christian Health Care Services, Inc in New Mexico.

As it has done in similar attacks, the threat actors dumped a small sample of files as proof. The files include copies of handwritten injury reports and other reports related to named individuals’ care. The reports include demographic and protected health information. The sample also contains images of driver’s licenses and a Social Security card, a prescription, and a passport.

RMCHCS was added to Conti’s leak site yesterday. There is no statement on RMCHCS’s web site at this point, so DataBreaches.net has sent an inquiry to the health care service. This report will be updated if a response is received.

RMCHCS was not the only U.S. entity added to a leak site yesterday.  Capital Medical Center in Washington State was added to  Avaddon threat actors’ leak site yesterday. The threat actors gave the practice 10 days from yesterday to respond before they dump more data. For proof of claim, they dumped a number of files with confidential and sensitive personal and protected health information, including a file of images of state driver’s licenses, lab reports and medical reports on named patients and more.  DataBreaches.net has sent an inquiry to CMC about the incident and will update this report if a response is received, but it is important to note that like RMCHCS, they have not yet confirmed any attack.


Well, it was only minutes after posting the above that I discovered a diagnostic laboratory in Brazil, Meddi Laboratório, had been hit by Avaddon threat actors. Avaddon dumped a hodge-podge of files as proof of claim and gave the laboratory 10 days to reply before more data is supposed to be dumped. The data dumped are routine records such as certifications, but also include photo ID, contact information, and other files that appear to include some payment information. Nothing appears to be from EMR.  There is nothing on Meddi’s web site at this point.

About the author: Dissent

Comments are closed.