Texas-Based Cogdell Memorial Hospital Attacked by Lorenz Ransomware Gang

The Lorenz extortion group has claimed responsibility for a data breach at Cogdell Memorial Hospital in Texas.

In early November, the hospital experienced a significant network incident, losing access to certain systems and facing major disruptions to its phone system. Despite these challenges, the hospital, which serves as a Critical Access Hospital and Rural Health Clinic in West Texas, continued to deliver most of its routine services, including emergency care, various therapies, and hospice care.

As a precaution, the hospital disconnected from its network, but the breach's impact was significant. The Lorenz group, known for its ransomware attacks since April 2021, added the hospital to its Tor leak site, claiming the theft of over 400GB of data. This data allegedly includes internal documents, patient medical images, and employee emails.

Lorenz is notorious for its double-extortion tactics, where they not only encrypt the victim's data but also steal it, threatening to release the information if their ransom demands, typically between $500,000 and $700,000, are not met. At the time of this report, the Lorenz group has begun releasing approximately 95% of the stolen data from Cogdell Memorial Hospital.

U.S. healthcare organizations are increasingly falling victim to ransomware attacks, with this year already seeing 29 health systems, encompassing 90 hospitals, impacted. Notably, in over 23 of these cases, data was stolen, highlighting the severity of these cyber incursions.

Renowned researcher Brett Callow has highlighted several recent attacks. In mid-October, the ALPHV/BlackCat ransomware group targeted Morrison Community Hospital, claiming to have extracted 5TB of sensitive patient and employee information. They substantiated their claims by posting samples on their dark web Tor leak site.

September witnessed the LockBit ransomware group compromising two New York hospitals – Carthage Area Hospital and the Clayton-Hepburn Medical Center. LockBit, known for its policy against attacking healthcare facilities, was forced to apologize for an affiliate's January attack on the Hospital for Sick Children (SickKids), even releasing a decryptor for the hospital. They cited a violation of their rule prohibiting attacks that could result in death.

This policy, however, hasn't prevented affiliates from targeting healthcare institutions. In December 2022, the Hospital Centre of Versailles, including Andre-Mignot Hospital, Richaud Hospital, and the Despagne Retirement Home, suffered a disruptive cyberattack attributed to LockBit. The attack led to canceled operations and patient transfers. In August, a similar attack by LockBit on the Center Hospitalier Sud Francilien near Paris severely disrupted emergency services and surgeries, with attackers demanding a $10 million ransom.

Moreover, the U.S. healthcare sector faces threats from other ransomware groups. The Rhysida ransomware group recently announced a breach of Prospect Medical Holdings, threatening to leak sensitive data unless a ransom of 50 Bitcoins (approximately $1.3 million) was paid. This same group claimed responsibility for recent breaches at three other U.S. hospitals.

Singing River Health System's facilities also fell victim to a cyberattack at the end of August, impacting operations at three hospitals and other medical units. These incidents underscore the growing cybersecurity challenges faced by the healthcare sector in the United States.