When attackers say they did not encrypt a hospital’s systems, patients can still be the ones who suffer. That is the reality unfolding this week at Signature Healthcare in Massachusetts, where a ransomware-as-a-service gang claiming responsibility says it stole two terabytes of patient data even as the health system struggles to keep services running.
What happened
Ransomware-as-a-service (RaaS) group Anubis claimed it stole roughly 2 terabytes of patient data in an attack on Signature Healthcare this week. According to reports, the attackers alleged they did not encrypt the health system’s IT environment. Despite that claim, Signature Healthcare has been forced to shift operational procedures: the hospital is diverting ambulance patients and clinicians are using paper charts while recovery continues.
Immediate operational impact
The tangible consequences at Signature Healthcare are clear from the available facts: ambulance traffic has been redirected away from the facility, and staff are documenting care on paper rather than through electronic systems. Those steps indicate the organization has limited or unavailable access to at least some digital records and workflows as it recovers from the incident.
Why this matters
- Patient privacy and exposure: The attackers’ claim of 2 terabytes of patient data raises questions about the scope of information potentially exposed. Even without evidence in the source about which records were included, the volume alone suggests a sizable trove of clinical or administrative files.
- Operational resilience: The switch to paper charts and ambulance diversion show that healthcare delivery can be disrupted even when attackers assert they did not encrypt systems. The distinction between data theft and encryption may be meaningful for an adversary’s motives, but for clinicians and patients the result can be the same: constrained access to electronic records and altered patient flow.
- Signals for technologists: Security teams and IT leaders might read this incident as an example that data exfiltration alone can trigger wide operational impacts. That could affect prioritization of detection and response capabilities aimed at both preventing theft and ensuring continuity when systems are degraded.
- Policy and oversight considerations: Policymakers and regulators focused on healthcare resilience and privacy may see this incident as another data point in assessing mandatory reporting, incident response expectations, and support mechanisms for providers hit by cyber incidents.
- Adversary behavior: The involvement of a RaaS gang that publicly claims data theft underscores a model where threat actors can monetize breaches through disclosure or sale of stolen information, separate from—or in addition to—encryption-based extortion tactics.
What to watch next
At this stage the verifiable elements are the attackers’ claim of 2 terabytes of patient data theft, their statement that they did not encrypt the IT system, and Signature Healthcare’s ongoing use of paper charts and ambulance diversions while it recovers. How the health system restores electronic access, the scope of any exposed records, and whether the claim of no encryption will be independently verified are all developments that will determine the longer-term impact on patients and the organization.
When critical health services are rerouted and clinicians revert to paper, the debate over whether an incident involved encryption or only data theft becomes academic to patients in an ambulance or nurses documenting care by hand. If two terabytes of patient data were indeed taken, what protections remain for those individuals — and how will providers be supported to restore safe, electronic care — are questions that go beyond labels and into risk and recovery.
https://www.govinfosecurity.com/raas-gang-anubis-claims-signature-healthcare-data-theft-a-31394
