Front-line services were delayed and some appointments postponed after a cyberattack that forced the local health board that runs Montreal’s Jewish General Hospital to disconnect its servers from the internet.
The breach occurred Wednesday, just as U.S. authorities and cybersecurity firms warned that criminals are deliberately targeting hospitals with ransomware – malicious computer codes that shut down institutional servers to extort a payment.
The Montreal incident affected a local health board known by its French name, CIUSS Centre-Ouest. It manages the Sir Mortimer B. Davis Jewish General Hospital but also the smaller Mount-Sinai Hospital, six nursing homes and five community clinics.
The CIUSS’s associate chief executive, Francine Dupuis, said the cyber intrusion was spotted early so no data was accessed or locked away, and no ransom demand was made.
Officials did not explicitly make a connection with the American ransomware alert but said the incident was not isolated. “It’s not just in Quebec, it might be broader than that, this breach,” Quebec Health Minister Christian Dubé told reporters Thursday.
“The Cyber Centre is aware of a recent ransomware campaign targeting Canadian health organizations,” said Evan Koronewski, a spokesman for the Communications Security Establishment.
The CSE is an intelligence agency that runs a subunit known as the Canadian Centre for Cyber Security. The centre issues public warnings about a variety of hacking threats.
FireEye, the parent company of the American cybersecurity firm Mandiant, says that an Eastern European hacking group known as UNC1878 launched the attacks against hospitals, using the Ryuk ransomware.
“We’ve seen Canada-based organizations impacted by UNC1878′s ransomware operations,” FireEye spokeswoman Sarah Coutermarsh told the Globe and Mail.
“UNC1878 is one of most brazen, heartless, and disruptive threat actors I’ve observed over my career,” FireEye chief technical officer Charles Carmakal said in a statement.
A joint U.S. government task force that includes the FBI issued an alert Wednesday warning of an imminent cybercrime threat to health care providers. “These issues will be particularly challenging for organizations within the COVID-19 pandemic,” the alert said.
Lawrence Rosenberg, the chief executive of CIUSSS Centre-Ouest, said the hacking attempt in Montreal forced facilities to shut down telephone switchboards and cut off internet and remote access to the computer network.
Test results had to be sent out by text messaging. Fortunately, Dr. Rosenberg said, the CIUSSS’s operations weren’t fully electronic yet. “There still was paper being used. We’re just going to fall back and use more paper than we would.”
Staff were instructed for the next three days to print or save on an encrypted memory key any documents they are creating. “I realize that this task is likely to be time-consuming. However, this pro-active precautionary measure is essential,” Dr. Rosenberg said in a memo to staff send Wednesday.
Dr. Rosenberg told reporters that if there had been a ransom demand, it would have been up to the province to decide whether to pay.
The U.S. task force alert warned that “payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations.”
The Ryuk ransomware is behind the majority of cyber-extortion payments in recent years, according to the FBI.
Speaking at the RSA IT security conference earlier this year, Joel DeCapua, an FBI special agent, said his agency has tracked US$144-million in ransoms paid between 2013 and 2019. Of that tally, more than US$61-million was extorted through Ryuk.
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.