Hammersmith Medicines Research (HMR), which carried out tests to develop the Ebola vaccine and drugs to treat Alzheimer’s disease in the past, was targeted by the Maze ransomware group earlier this month.
The cyber attack took place despite the Maze group making a public promise of not attacking any medical organisation as a way to show their support towards curbing the pandemic. As expected, the hacker group could not hold on to their promise for long when they targeted Hammersmith Medicines Research on 14 March.
Even though IT staff at HMR identified the attack and were able to repel the same and restored computer systems and emails by the end of the day, the hackers stole and then released sensitive medical and personal information over 2,300 former patients on the Internet after the research firm refused to pay a ransom.
According to HMR, the breached information is eight to twenty years old and includes copies of passports, driving licenses, medical questionnaires and national insurance numbers of more than 2,300 patients. The main intention of gaining access to this information was to let the research firm know that they have entered the company system along with a ransom demand.
“We have no intention of paying. I would rather go out of business than pay a ransom to these people,” said Malcolm Boyce, managing and clinical director at HMR. “What they have sent us was 8 to 20 years old, and we would not know how to contact them. They are probably young people who have mostly returned to their country of origin.”
Medical research firms need to stay on guard against opportunistic hackers
Earlier this month, when approached by Bleeping Computer, Maze stated in broken English that “we also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.” Raj Samani, chief scientist at McAfee, told Computer Weekly that Maze’s actions reveal that the criminals’ only focus was making money.
“We have had previous assertions from other ransomware groups that they aren’t going to go after medical environments, but it really shows us we can’t take what these individuals say as trustworthy,” he said.
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. When a data breach occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects,” said a spokesperson from the Information Commissioner’s Office.
Medical research firms are often targeted by hackers all over the world as they hold not only sensitive personal and health information of thousands of people, but also patented research data that could be exploited by many companies for profit.
In October last year, Tū Ora Compass Health, a primary health organisation (PHO) in New Zealand announced that hackers stole 17-years worth of medical and personally identifiable information (PII) of roughly 1 million people after defacing its website.
“The loss of medical and PII data is a worry for all organisations, not just the targeted company. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the data to accurately mimic the legitimate customer in order to facilitate further cybercrime,” said Robert Capps, vice president at NuData Security.