Why ransomware groups are targeting Indian pharma companies and the healthcare sector; ClearMedi allegedly hacked
Naandika Tripathi reports:
Just three months after a ransomware attack pulled down India’s largest drugmaker, Sun Pharmaceuticals, the threat actors went after another pharma company. Hyderabad-based Granules India was notified of a significant loss of revenue and profitability due to a cybersecurity attack in the last week of May.[…]
From Dr. Reddy’s to the All India Institute of Medical Science (AIIMS), the pharma and healthcare sector have been experiencing an uptick in cyberattacks over the past few years, especially post-Covid-19. These incidents have put a spotlight on the weak cybersecurity infrastructure in the industry.
Read more at Forbes India.
The current news involving India is even worse than Ms Tripathi may know. Threat actors called 8Base have listed ClearMedi Health on their leak site and Telegram channel. “We have a large number of files. For demonstration, some of them are presented here. The entire amount of data has already been uploaded to the site, enjoy!” they wrote.
The leak site listing indicates that data from ClearMedi was downloaded on June 26 and published on their site on July 3. Unlike some other groups that give a victim weeks or even months to try to negotiate a payment, 8Base seems to move quickly. They describe the files that they have uploaded to their server as including:
- Personal documents
- Identity cards
- Health insurance
- Patient data (numbers\addresses\registration numbers and others)
- Patient databases
- Personal data of employees
- Internal documents
- Financial documents
- A huge amount of personal data and databases
The upload is a 9-part archive with most of the parts being 10 GB each.
DataBreaches examined some of the files and confirmed that they contained patient information, such echocardiograph and doppler studies on named patients. The following figure is just the top portion of one such report with the patient’s name and UHID No. redacted by DataBreaches. Note that the date of this visit was May 22 of this year, showing that they obtained recent data.
A second file that DataBreaches examined (below) was a .csv file with 9,225 patient records from 2022 that showed patient’s name and ID, the purpose of their visit, what they paid, who referred them, and what facility the patient was seen at. The patient name and ID was redacted by DataBreaches:
Note that the figure above depicts only part of the fields. There were more fields to the right that included other details such as the patient’s date of birth, age, and their mobile telephone number, as well as other appointment-related details.
Finding no mention of any breach or service disruption on their website, DataBreaches emailed ClearMedi yesterday to ask about the data dump and 8Base’s claims, asking:
- Were you aware that you were the victim of a cyberattack with data theft?
- Did the attack and encryption of your system(s) affect patient care in any way?
- Did you try to negotiate with the criminals at all?
- Have you notified anyone of this breach?
- What are you doing in response to it?
No reply has been received by publication time. DataBreaches also sent some inquiries to 8Base through their contact form on their leak site, but has received no reply by publication.
In November 2022, the All India Institute of Medical Sciences (AIIMS) was the victim of what appeared to be a ransomware attack. That hospital name appears in some of the leaked records for this incident, too.
Updated July 7: 8Base confirmed to DataBreaches that although they locked files, they did not touch any of ClearMedi’s critical infrastructure that would affect patient care. They also confirmed that ClearMedi never contacted them. ClearMedi did not reply to DataBreaches’ initial email and finding no notice or press release from them about any breach, a second email pointing them to this article and asking for a statement has now been sent.