Hackers trying to sell personal information stolen from some CT hospitals

(WFSB) - Eyewitness News has troubling new information about the ransomware attack on two Connecticut hospitals.

It appears the hackers are now trying to sell the stolen data that includes employees’ personal information.

Eyewitness News received an email from the organization claiming credit for the cyberattack. They sent what appears to be stolen data, and a portal link to where more records are for sale.

The email contains hospital employees’ sensitive personal information.

The email Eyewitness News received, signed by “Rhysida”, described a period of negotiating with Prospect Medical Holdings, the parent company of Waterbury Health and Eastern Connecticut Health Network.

The email contained a link, claiming it was a portal to millions of files for sale, and said: “Everyone who has ever provided personal data to Prospect Medical will suffer.”

Channel 3 asked a Waterbury Hospital employee three weeks after the initial computer attack about the communication they have had so far from the hospital system.

“We’ve been told that our own personal records were not necessarily accessed and that’s always been told,” said Frank Marcella, a Waterbury Hospital nurse.

“Who told you that?” asked Eyewitness News.

“Various managers,” Marcella said.

That may no longer be true.

An attached file contains a small sample of the stolen files the hackers claim are for sale online.

Eyewitness News reached out to Prospect Medical Holdings, and a spokesperson confirmed their data was taken by hackers.

The spokesperson said they are still investigating the scope of what was taken: “If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws. "

Eyewitness News also obtained a letter that appears to be communication from Waterbury Health’s local management, telling employees not to speak to the media.

In it, they echo Prospect Medical Holdings’ promise to notify workers if their information was found to be stolen.

But actually figuring out what was taken among thousands of records is a big undertaking.

“I do think they need some time to do their own forensic analysis,” said Frederick Scholl, a Cybersecurity Professor at Quinnipiac University.

Scholl said he is familiar with ransomware attacks from Rhysida.

“I’m sure that they’re international. Attacks have been reported around the world and the ransomware code is very sophisticated,” Scholl said.

Scholl believes it only took a few people to write that code.

Scholl said all the patients and workers who could have had their data stolen because of it need regular updates on the investigation.

“They need to be kept informed of exactly what the risks are so they can take steps to manage those,” said Scholl.

Eyewitness News spoke with a former Waterbury Health employee Friday whose information was among the documents shared by the hackers.

He said this is the first he’s heard of his records being among those that were stolen.

The FBI has been investigating the cyberattack. It is now looking into attempts to sell the stolen data.

Copyright 2023 WFSB. All rights reserved.