A ransomware cyber-attack has targeted one of Barcelona’s leading hospitals, shutting down its computer system and forcing the cancellation of 150 non-urgent operations and up to 3000 patient checkups.
Reported Monday on Twitter, the attack against Hospital Clinic de Barcelona occurred on Sunday. At the time, the institution said it was working to determine the scope of the leak and restore systems.
A few hours after first reporting the incident, Hospital Clinic published a new post, saying 10% of visits for external consultations would be restored by today, alongside some non-urgent operations.
“We have recovered 10% of consultation activity and part of elective surgery,” the hospital confirmed today. “Patients able to be visited will receive a call to confirm their booking. Rescheduled visits will be announced soon.”
A Catalonia government statement (in Catalan) further explained the region’s cybersecurity agency was working to restore the hospital’s systems. The attack was attributed to the threat actors known as RansomHouse.
According to Avishai Avivi, CISO of security company SafeBreach, despite the few details about the attack, some information can be deduced from what was said by the Catalonian Cybersecurity Agency.
“This was a remote access attack – the spokesperson for the hospital [stated] the attack originated outside of Spain. This means that the malicious actors could breach the hospital network remotely,” Avivi explained.
“The malicious actors were able to spread laterally – considering that multiple locations were shut down (laboratories, emergency rooms, pharmacies and several external clinics). This suggests that the hospital’s networks were not properly segmented and segregated from each other.”
The security expert also discussed the alleged attribution of the attack, clarifying that RansomHouse typically does not encrypt the data but instead focuses on data exfiltration.
“This indicates that shutting down the computers was done to prevent further data exfiltration. This also suggests that Hospital Clinic de Barcelona does not have good egress security controls to prevent data leakage,” Avivi added.
“This conjecture is further supported by the fact that the hospital seems to indicate that it will not pay the ransom, leading me to believe that it still has access to all its data.”
The attack against Hospital Clinic comes months after the RansomHouse threat actor claimed a separate attack against Colombian healthcare provider Keralty.