Bayhealth Medical Center, a major healthcare provider in Delaware with three hospitals and over 5,000 employees, suffered a **ransomware attack by the Rhysida gang** in July 2024. The breach exposed sensitive data of **497,047 individuals**, including **Social Security numbers, medical records, health insurance details, passports, and employee documents**, which were later published on the dark web. The attackers demanded a **ransom of 25 bitcoins (~$1.4M)**. The incident disrupted IT systems and led to a **class-action lawsuit** alleging negligence, invasion of privacy, and failure to implement adequate security measures. The breach forced Bayhealth to negotiate a **preliminary settlement** while facing reputational damage, regulatory scrutiny (HIPAA violation reported to HHS), and potential financial penalties. The attack also highlighted Rhysida’s targeting of healthcare, a critical sector where data breaches can have life-threatening consequences if systems like patient care or emergency services are compromised.
Source: https://www.bankinfosecurity.com/delaware-health-system-plans-to-settle-rhysida-hack-lawsuit-a-29512
TPRM report: https://www.rankiteo.com/company/bayhealth-medical-center
"id": "bay2303723092425",
"linkid": "bayhealth-medical-center",
"type": "Ransomware",
"date": "7/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '497,047 individuals',
'industry': 'Healthcare',
'location': 'Delaware, USA (Central and Southern '
'regions)',
'name': 'Bayhealth Medical Center',
'size': '5,000 employees, 450+ physicians, 200+ '
'advanced practice clinicians',
'type': 'Healthcare System'}],
'attack_vector': ['Gootloader Malware (initial access)', 'Network Intrusion'],
'customer_advisories': ['Breach notification letters to affected individuals'],
'data_breach': {'data_encryption': 'Yes (ransomware attack)',
'data_exfiltration': "Yes (published on Rhysida's dark web "
'site)',
'file_types_exposed': ['Patient Records',
'Employee Files',
'Operational Documents'],
'number_of_records_exposed': '497,047',
'personally_identifiable_information': 'Yes (SSNs, passports, '
'emails)',
'sensitivity_of_data': 'High (includes SSNs, medical records)',
'type_of_data_compromised': ['PII (Social Security numbers, '
'email addresses)',
'PHI (medical records, health '
'insurance info)',
'Passports',
'Employee Documents']},
'date_detected': '2024-07-31',
'date_publicly_disclosed': '2024-10-14',
'description': 'Bayhealth Medical Center, a Delaware-based healthcare system, '
'was targeted by the Rhysida ransomware gang in July 2024. The '
'attack resulted in a data breach affecting nearly 500,000 '
'individuals, with sensitive information—including Social '
'Security numbers, medical records, passports, and health '
'insurance details—exfiltrated and published on the dark web. '
'Rhysida demanded a ransom of 25 bitcoins (~$1.4 million). '
'Bayhealth reported the breach to HHS in October 2024 and is '
'now settling a class-action lawsuit alleging negligence and '
'privacy violations. The incident disrupted operations and '
'exposed PII/PHI of patients and employees.',
'impact': {'brand_reputation_impact': 'Significant (publicized breach, '
'lawsuit, and association with Rhysida)',
'customer_complaints': 'Class-action lawsuit filed by affected '
'patients',
'data_compromised': ['Personally Identifiable Information (PII)',
'Protected Health Information (PHI)',
'Social Security Numbers (SSNs)',
'Passports',
'Health Insurance Information',
'Medical Records',
'Employee Documents'],
'downtime': "Weeks (based on Lurie Children's Hospital precedent)",
'identity_theft_risk': 'High (SSNs, PII exposed on dark web)',
'legal_liabilities': 'Preliminary settlement in class-action '
'lawsuit (negligence, privacy invasion '
'claims)',
'operational_impact': 'Disruption to healthcare services, forensic '
'investigation, legal proceedings',
'systems_affected': ['IT Network',
'Operational Systems (disrupted)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (published on '
"Rhysida's leak site)",
'entry_point': 'Gootloader Malware (suspected)',
'high_value_targets': ['Patient PII/PHI',
'Employee Data']},
'investigation_status': 'Ongoing (forensic investigation completed; lawsuit '
'settlement pending)',
'motivation': ['Financial Gain', 'Data Theft for Extortion'],
'post_incident_analysis': {'corrective_actions': ['Lawsuit settlement '
'(potential security '
'upgrades per injunctive '
'relief)']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '25 bitcoins (~$1.4 million USD at time of '
'incident)',
'ransomware_strain': 'Rhysida'},
'references': [{'source': 'Information Security Media Group (ISMG)'},
{'date_accessed': '2024-10-14',
'source': 'U.S. Department of Health and Human Services (HHS) '
'Breach Portal'},
{'source': 'FBI/CISA/MS-ISAC Joint Advisory on Rhysida (April '
'2024)'}],
'regulatory_compliance': {'legal_actions': ['Class-action lawsuit '
'(negligence, privacy invasion)',
'Preliminary settlement reached'],
'regulations_violated': ['HIPAA (Health Insurance '
'Portability and '
'Accountability Act)'],
'regulatory_notifications': ['Reported to U.S. '
'Department of Health '
'and Human Services '
'(HHS)']},
'response': {'communication_strategy': ['Breach Notice to HHS',
'Public Disclosure',
'Lawsuit Settlement Negotiations'],
'containment_measures': ['Network Secured',
'Investigation Launched'],
'incident_response_plan_activated': 'Yes (forensic specialists '
'engaged)',
'third_party_assistance': ['Forensic Investigators',
'Legal Counsel']},
'threat_actor': 'Rhysida (Ransomware-as-a-Service Gang)',
'title': 'Bayhealth Medical Center Rhysida Ransomware Attack and Data Breach '
'(2024)',
'type': ['Ransomware Attack', 'Data Breach', 'Cyber Extortion']}