Fresenius says cyber-attack led to release of patient data

Dialysis specialist Fresenius has confirmed that a ransomware attack earlier this year has resulted in the publication of confidential patient data.

The German company – which is Europe’s largest private hospital operator – revealed in early May that data theft had occurred after a cyberattack that according to the KrebsOnSecurity.com blog had affected “every part of the company’s operations around the globe.”

Now, Fresenius has reported that “patient data from some of the company’s dialysis centres in Serbia has been published by unauthorised persons.”

The company adds that it has filed a complaint against the unidentified hackers with the public prosecutor in Germany, and will work with the authorities to try to bring them justice.

Fresenius says it “deeply regrets this invasion of some patients’ privacy, is doing its utmost to prevent further data to be published and to save affected patients and other stakeholders from harm.”

The attack comes against a backdrop of an increasing number of cyber-attacks against healthcare companies and providers that are on the front line of the fight against the coronavirus pandemic.

David Jemmet, chief executive of cybersecurity Cerberus Sentinel, said recently that a purported ceasefire on healthcare providers by ransomware operators during the pandemic has proven short-lived.

“Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike,” he added.

In one notorious case, a cyber-attack was launched on Brno University Hospital Brno, in Czechia, amid the COVID-19 outbreak – resulting in the shutdown of its IT networks and forcing the postponement of urgent surgeries and rerouting of acute patients to an alternative clinic.

Last month, insurance company Magellan Health was also the victim of a ransomware attack – launched via a phishing email – that resulted in the theft of sensitive personal information from one of its corporate servers. The company said these kinds of attacks are “increasingly common”.

Meanwhile, a US Government Accountability Office (GAO) report issued last week suggested that chemical facilities are particularly vulnerable to cyber-attacks because the Department of Homeland Security (DHS) hasn't updated cybersecurity guidance for those facilities in more than a decade.

Commenting on this type of activity in the wake of the Magellan attack, Jonathan Deveaux of data protection specialist Comforte AG said: “Between the news of increasing COVID-19 related deaths, stressful lock-down situations, furloughed workers, and rising unemployment, the last thing that businesses need to deal with is a cyber-attack.”

There are some protections for businesses that step up to help make products that are in dire need, such as medical supplies or personal protective equipment (PPEs) during a pandemic, but the law needs to go further, he said.

“There needs to be a law that adds a legal protection layer for businesses and organisations from cyberattacks that happen during a pandemic,” he suggested, adding that the law “The law should increase and enforce the maximum penalty that a bad actor or hacker may receive if they engage in [such] attacks.”