Cyberattack at Singing River Health System and Point32 Health and Increasing APT Group Attacks

Singing River Health System located in Mississippi, which manages Ocean Springs Hospital, Pascagoula Hospital, and Gulfport Hospital, noticed strange activity inside its IT network last week and is looking into a likely cyberattack. The health system took its IT systems off the internet to maintain system integrity and followed downtime procedures.

SRHS Chief Marketing Officer Shannon Wall stated that Singing River Health System is working hard with third-party experts to look into the cause of this problem and to verify its effect on its systems immediately. It is likewise working with the proper law enforcement regulators. Shannon Wall also affirmed that the IT security staff is working 24/7 to look into the incident, make sure systems are protected, and will put back its systems online when it is already safe. There is no timeline provided regarding the restoration of its systems. There is information given about the character of the attack, for example, if this involves ransomware.
The health system is still accepting patients, however, there are slowdowns because of not having access to IT systems. Radiology services at its clinics were stopped, though they are available at its hospitals. At this point of the investigation, it is unclear to what degree, if any, patient information was exposed.

Ransomware Attack Key Factor in H1 Operating Losses of $102.6 Million for Point32 Health

Point32Health has reported sustaining $102.7 million in operating losses for the first half of 2023 with a $4.8 million in income, in comparison to losses of $25.8 million in the first half of 2022 with a $4.9 billion in income. The difference of $76.9 million has mostly been caused by the ransomware attack it discovered on April 17, 2023., though specifics of the real cost of the attack were not published.

The attack resulted in the exfiltration of sensitive information from the Harvard Pilgrim Health Care systems from March 28, 2023 to April 17, 2023, which includes the protected health information (PHI) of present and past subscribers, their household, and present contracted vendors. The breached data included names, taxpayer ID numbers, and Social Security numbers. The breach report was submitted to the HHS’ Office for Civil Rights as impacting 2,550,922 people.

The attack led to the taking down of systems for a couple of weeks, which include the systems that is used for the Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). The process of recovery was slow since systems needed to be recovered in a particular order. It took three months, up to July, after discovering the attack to completely return to normal operations, though it took until August to finish all backlog claims of 1 million that were overdue because of the cyberattack.

Chief Financial Officer of Point32Health, Scott Walker states the company continues to be on a solid financial footing and stated the losses caused by the cyberattack were transient and only once in nature; nevertheless, Point32Health will probably continue to deal with costs because of the data breach. Multiple class action lawsuits associated with the data breach were filed.

Chinese APT Groups Attacking the Healthcare Sector

Financially driven cybercriminal gangs are actively targeting the healthcare sector; nevertheless, state-sponsored hacking groups likewise get access to healthcare systems and are actively attacking healthcare companies and other organizations in the healthcare and public health (HPH) sector.

In a newly released security alert, the Health Sector Cybersecurity Coordination Center (HC3) gives a threat profile of a few of the most competent Chinese hacking groups that are identified to attack U.S. healthcare institutions. Although at least one Chinese state-sponsored hacking group is identified to carry out cyberattacks for monetary gain, most groups carry out attacks for surveillance reasons and to acquire intellectual property (IP) of interest for the People’s Republic of China government, for example, IP associated with healthcare technology and drugs. For example, Chinese hackers attacked pharmaceutical companies at the time of the pandemic looking for COVID-19 vaccine research information.

APT41 (also Winnti, BARIUM, LEAD, WICKED SPIDER, Blackfly, WICKED PANDA, Suckfly, Double Dragon, and Winnti Umbrella) is one of the most active threat groups since 2007 and is known to attack U.S. healthcare providers, most often with the objective of acquiring intellectual property to give to the Chinese authorities. The group additionally conducts surveillance and digital extortion and performs financially driven cyberattacks, though those operations might be for personal gain instead of for the Chinese government. APT41 strongly exploits identified vulnerabilities, frequently within hours following public disclosure, just like the case involving the Log4J and ProxyLogon vulnerabilities. As soon as preliminary access has been acquired, the group goes laterally inside networks and gets continuing access, usually accessing networks unnoticed for a long time while exfiltrating data of interest. The group has a considerable arsenal of malware and utilizes widely recognized security solutions in its attacks, for example, an individualized version of Acunetix, Cobalt Strike, Nmap, Sqlmap, and JexBoss.

APT10 (also known as Menupass Team, Stone Panda, Red Apollo, Cicada, CVNX, HOGFISH, and Cloud Hopper) engages in cyberespionage and cyberwarfare activities and has a focus on military and intelligence data. The group is known to leverage zero-day vulnerabilities to gain access to the networks of targets of interest and uses a variety of custom and public tools to achieve its aims. APT10 performs highly targeted attacks, with preliminary access usually achieved by means of spear phishing. The group is also known to target managed service providers (MSPs) in order to attack their downstream clients. The group often engages in living-of-the-land tactics, using tools already installed in victims’ environments.

APT18 (likewise called Dynamite Panda, TA-428, TG-0416, Wekby, and Scandium) is an APT group that is thought to work with the Chinese army and frequently attacks governments, human rights groups, and a variety of sectors, which include biotechnology and pharmaceutical
companies. The group is identified to create its zero-day exploits, and also conform the exploits of other folks to satisfy its operational requirements, and utilizes advanced malware like Gh0st RAT, pisloader, HTTPBrowser, and PoisonIvy. APT18 is thought to be responsible for a 2014 attack on a healthcare company that saw the theft of the information of 4.5 million patients. The threat group is believed to have used the OpenSSL Heartbleed vulnerability to access the system.

APT22 (also called Barista, Suckfly, and Group 46) seems to be dedicated to attacking political entities and the healthcare industry, particularly pharmaceutical and biomedical companies. The group is known to be identifying vulnerable public-facing web servers on victim systems and uploading web shells and utilizes complicated malware like SOGU, PISCES, FLATNOTE, BASELESS, ANGRYBELL, LOGJAM, and SEAWOLF.

Besides outlining a few of the tactics, techniques, and procedures utilized by every group, HC3 has provided mitigations to enhance security against the most frequently utilized infection vectors.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at