The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.
The threat actor said it stole more than 500,000 Social Security numbers, passport data of clients and employees, patient medical files, and financial and legal documents, according to a Thursday post on the dark web.
Emsisoft Threat Analyst Brett Callow shared a screenshot of the post on X, the platform formerly known as Twitter, Thursday.
Rhysida claims to have more than 1 terabyte of stolen data and a SQL database containing 1.3 terabytes of data. The group offered the data for sale on the dark web for 50 bitcoin, which is the equivalent of almost $1.3 million, according to the listing.
“We have become aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined,” a spokesperson for the California-based hospital chain said in a statement Friday.
“If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws. Because our investigation is ongoing, we do not have additional information to share at this time. We are taking all appropriate measures to address this incident,” the spokesperson said.
Prospect operates 16 hospitals and more than 165 clinics and outpatient facilities in California, Connecticut, Pennsylvania and Rhode Island.
Ransomware has impacted at least 22 U.S. healthcare systems operating a combined 53 hospitals this year, and 20 of those organizations had data stolen during the attack, according to Callow.
Rhysida, a ransomware as a service group, first emerged in mid-May, the Department of Health and Human Services said earlier this month in an alert.
The group is still in early stages of development and lacks some advanced features such as plaintext strings revealing registry modification commands, according to HHS. Rhysida has primarily attacked organizations in education, government, manufacturing, technology and managed service providers.
Between June and early August, the threat actor added at least eight victims to its data leak site and published all files stolen from five of those victims, the agency said.