Las Vegas hospital hit in cyberattack, data stolen

University Medical Center acknowledged Tuesday that it had experienced a criminal data breach after a notorious hacker group began posting personal information purportedly obtained in the cyberattack.

Images of Nevada driver’s licenses, passports and Social Security cards of around half a dozen alleged victims were posted late Monday on the hacker group’s website and were reviewed by the Review-Journal.

After receiving an inquiry from the newspaper, the hospital issued a statement confirming that cybercriminals accessed a server used to store data in mid-June. Law enforcement is now investigating the incident, it said.

The statement said there is no evidence that any clinical systems were accessed in the attack but that patients and employees would be notified that their personal information may be at risk.

The hospital will also offer “access to complimentary identity protection and credit monitoring services.”

“This type of attack has become increasingly common in the health care industry, with hospitals across the world experiencing similar situations,” the statement said.

The statement did not address the hackers’ motivation, but Brett Callow, a threat analyst with cybersecurity firm Emsisoft, said posting some data online is typically a move to pressure an organization into paying a ransom.

Callow said that the hacker group, known as REvil, has been responsible for other high-profile ransomware cases, stealing a target organization’s data before locking their systems and then threatening to release the data online to extort payment.

“In other cases, REvil has further weaponized the stolen (data) by, for example, threatening to release the before and after photos stolen from a cosmetic surgery chain,” Callow said. “In short, the group will do whatever they can to put pressure on their victims.”

Callow said at least 32 health care providers around the country have been affected by ransomware this year. At least 285 individual sites have had patient care disrupted, he said.

He added that the group claiming the UMC attack has been responsible for a number of other high-profile attacks around the country, including one demanding $42 million.

UMC is a nonprofit public hospital and home to Nevada’s only Level 1 trauma center. It’s affiliated with the Kirk Kerkorian School of Medicine at UNLV and operated by the Clark County Commission.

Last year, a ransomware attack affected the Clark County School District, exposing employees’ names and Social Security numbers, as well as student information such as names and grades.

Nevada Health Centers also reported an incident in December in which a third party accessed patient directory information by logging into an employee’s email account. But medical records, Social Security numbers and financial information were not part of that breach, the health center said in a statement.

Contact Aleksandra Appleton at 702-383-0218 or aappleton@reviewjournal.com. Follow @aleksappleton on Twitter.