Since this Friday at 1:30 p.m., the medical data of thousands of Neuchâtel residents has been online again. And this time, no more turning back seems possible. The hackers had set an ultimatum for the medical practices to pay a ransom, the amount of which is unknown. Failing to have obtained what they wanted, the hackers put back online everything they had stolen from several medical practices in the Neuchâtel Mountains. As could be seen The weather on Friday, it’s 43,651 files.
For the record, the pirates hadon the darknet on Wednesday, according to our revelations. A few hours later, this data was removed, before a new ultimatum was set for Thursday, then Friday. What happened in the meantime? According to our investigation, the hackers had the hope that the victims would contact them to pay the ransom. The targeted medical practices would have given signs indicating that they were ready to dialogue with the hackers. But in the end, there was no discussion. Faced with this, the hackers did what they usually do when they don’t get paid: they put everything back online.
The data accessible on the darknet are, it should be remembered, the names of the patients, their postal address, their date of birth, their telephone numbers (landline and mobile) and their profession. There are also some on the medical examinations carried out, the pathologies and the treatments. Thus, it is found that a patient is HIV positive. Another is a drug user. A third is depressed following an accident. This data has already been copied by several people on the darknet and offered for download on specialized discussion forums.
According to our information, at least one medical office has agreed to pay a ransom. The amount would be several tens of thousands of francs. This new information follows what ArcInfo published on Friday: according to this media, another firm in the canton had suffered a cyberattack on February 25. This firm claims to have “been able to recover all of this data as of March 22”. Logical conclusion: this firm agreed to pay a certain sum to hackers so that its data would not be published. One or more other firms in the canton have not made this choice.
Denied in Freiburg
And as the RTS said on Thursday evening, it is possible that other offices, located in the cantons of Vaud and Fribourg, have been hacked. But for now, according to our investigations, no trace of files other than those from a Neuchâtel firm has been found on the darknet. We contacted the Friborg IT company E-sculape, which installed software at several firms. On Friday, E-sculape told us this: “The medical data published on March 31 and again today on the darknet, which we have been able to learn about, come from only one of the firms concerned. No document comes from the Mediway medical software currently used by the firm. The data comes from another source, used previously.”
The case worries the federal data protection and transparency officer (FDPIC), who has asked that the patients concerned be informed. “This is a new alert which shows that sensitive medical data is often not sufficiently protected in Switzerland”, according to the official.
“An electric shock”
“We need a real shock in Switzerland, supports David Billard, associate professor at the Geneva School of Management (HES GE) and specialized in cybersecurity. Professional organizations (doctors and others) should take charge and start by taking stock of the digital capacity of their members (or members of their professional organization). When we go to see a doctor or a lawyer, we expect to receive quality medical advice or legal advice. In the same way, we should have the assurance that the information we exchange is treated with the same professionalism.
While the investigations continue, we learned on Friday that the Neuchâtel educational network (RPN) had been affected by a cyberattack. The latter was disconnected, according to ArcInfo. There would a priori have been no data theft because no increase in the volume of data output has been observed, said the canton. Note that before this attack, there was no double authentication system for remote access within the RPN.