Merck, Capital Health and U.S. Hospitlas Targeted by Cyberatttacks

Hospital IT Help Desks Attacked in Advanced Payment Fraud Scam

American Hospital Association (AHA) reports that cybercriminals are targeting U.S. hospitals in a sophisticated payment fraud scam. The AHA has obtained several reports of scammers calling hospital IT departments to carry out password resets and register new devices to get multifactor authentication (MFA) codes. When access is acquired to staff email accounts, they email the payment processors telling them to reroute legit payments to U.S. bank accounts controlled by the attacker. The money is then deposited into foreign accounts.

As per the AHA, scammers call IT departments and act as revenue cycle staff or other employees with important financial positions. They give stolen personal data to validate their identity to go through the security checks that are required to execute a password reset to register a new device to get MFA codes. The devices employed to get the codes frequently have a local area code. Using the registered new device, the scammer will get MFA codes, enabling them to gain access to staff email accounts. This method likewise permits the scammers to beat phishing-resistant MFA.

The AHA has gotten many reports from U.S. hospitals that were attacked and had payments deposited to the attackers’ accounts. Anybody who becomes a scam victim must promptly report the incident to the Federal Bureau of Investigation (FBI) as well as their financial organization to try to block the transfer and retrieve the fraudulently deposited money. The FBI had succeeded in blocking fake fund transfers when informed within 72 hours of making the transfer.

Hospitals must look at applying stricter IT help desk security practices to make sure they don’t become victim to these frauds. John Riggi, the national advisor for cybersecurity and risk of AHA, recommends that at least, any password reset requests must require a phone call to a designated number for the staff asking for a password reset and registration of a new device. Some hospitals have required making such requests in person at the IT help desk. Riggi additionally recommends using guidelines that contact the supervisor of the staff to confirm such requests. This scheme again shows how our cyber threats are immediately changing their techniques to beat technical cyber defenses through social engineering strategies.

Merck Resolves Issues with Insurers About $1.4 Billion NotPetya Malware Attack

The Pharmaceutical company Merck has negotiated with its insurance policy companies to settle a June 2017 cyberattack that Merck stated led to $1.4 billion in losses. Merck was affected by the popular NotPetya wiper malware, which is a malware variant that seemed to be ransomware yet it was a wiper. The malware is associated with Russian state-sponsored cyber criminals and was utilized to attack Ukraine targets, however, attacks happened worldwide, causing approximately $10 billion in losses worldwide.

Merck was affected by the attack and stated that NotPetya malware wiped 40,000 of its computers. Upon trying to restore those losses with its ‘all-risk insurance plans, its insurance providers declined to pay out, saying the cyberattack was not included as the policy didn’t insure acts of war.

Merck questioned the decision as the exceptions in its insurers’ guidelines didn’t apply to NotPetya. The decision of the trial court judge was in favor of Merck. After evaluating the language of war exclusion of the insurance policies, the history of how war exceptions were viewed in past times, and the nature of the all-risk policy, the trial court concluded that the cyberattack cannot be ruled out. A state appellate court confirmed the decision of the trial court in May 2023.

The language of war exclusion didn’t consist of any mention of the cyber warfare or cyberattacks and the insurance companies didn’t prove the dangerous or warlike activity of the NotPetya cyberattack on Merck, consequently, the war exemption didn’t apply and Merck was allowed to retrieve roughly $700 million in losses. If the insurance companies wished to rule out specific types of cyberattacks from their insurance coverage, they need to include the language to that result in their policy guidelines.

LockBit Ransomware Group Responsible for Cyberattack on Capital Health

Capital Health Systems located in New Jersey recently reported a cyberattack at the end of November 2023 that interfered with its IT systems for a brief period. Capital Health manages two hospitals around New Jersey, Capital Health Medical Center located in Hopewell and Capital Health Regional Medical Center located in Trenton as well as an outpatient center in Hamilton Township. Although the attack resulted in a network outage, the providers continued to care for patients at its hospitals. Patients were still accepted at its emergency rooms.

Capital Health already stated that all systems are fixed and all patient services are accessible at Capital Health facilities; nevertheless, the cyberattack investigation is continuing and there’s no report yet regarding the scope of patient and staff data affected. Capital Health mentioned law enforcement was quickly informed concerning the attack and third-party forensic and IT specialists helped with the inspection and breach response.

Capital Health has not confirmed yet the scope of any data breach however the hacking group responsible for the attack states it stole over 10 million files, which include 7 TB of healthcare confidentiality information, and threatened to post the stolen information in case no ransom is paid. The LockBit ransomware group typically uses double extortion tactics, stealing sensitive data and encrypting files using ransomware. A ransom demand is given requiring payment to get the file decryption keys and to stop the posting of the stolen information. In this cyberattack, the group stated it intentionally didn’t encrypt files and merely took patient information as it did not intend to cause any interruption to patient care. Although ransomware wasn’t utilized, these attacks could still bring about network breakdowns during incident response procedures and as a result, still affect patient care.

The deadline given to Capital Health was on January 9, 2024, to stop the exposure of the stolen information. Although Capital Health was included in the LockBit 3.0 data leak site, there is no more reference to the provider listing. More details on the severity of the data breach will be made available as the investigation moves along and breach notification letters will be mailed when data theft is verified.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at