Thousands of medical data published on the dark web after hacking of two medical institutions in Neuchâtel, Switzerland

Despite assurances to parliament from the Swiss Council of State of Neuchâtel explaining that it had made progress in computer security, this incident was a slap in the face: the ransomware group LockBit targeted two medical institutions in the Swiss canton of Neuchâtel in a cyber attack and offered to hold them for ransom or publish their stolen data on the dark web.

Medical data leaked on the dark web

After issuing an ultimatum, the ransomware group LockBit took action in the canton of Neuchâtel on Tuesday: it leaked the data of thousands of Neuchâtel patients on the dark web. However, they were withdrawn on Wednesday.

The hackers had threatened the companies that if the ransom was not paid, they would publish the data dragged by the hackers on Tuesday, March 29. According to Le Temps, the hackers made good on their threat and 43,651 medical files ended up on the dark web, a hidden part of the Internet, containing addresses, phone numbers or occupations.

Among the leaked files were medical files with various data about patients' medical conditions or medical tests where medical records and treatments could be found, such as that one patient was HIV-positive, another was taking medication and a third was suffering from depression. Some of these files date back to 1998.

Data deleted in the afternoon

However, on Wednesday afternoon, the data were no longer accessible on the Dark Web, and they were deleted shortly after they were posted. There are the following possibilities: the victim of the hack finally decides to pay, or the hacker realizes the value of the files and decides to try to raise the ransom. Cybersecurity experts have also raised the hypothesis of technical problems with the dark web.

The hacker's dark web page was updated with a countdown to a new action around 1:30 p.m. Thursday, which should be a new 24-hour ultimatum set by the LockBit organization.

Police investigation

Neuchâtel police have launched an investigation into the case. "The investigation is ongoing and the police do not wish to provide any further information about the two medical institutions." Police spokesman Georges-André Lozouet told Keystone-ATS on Wednesday, confirming information from Le Temps that the offices of the two victim medical facilities were located in the Neuchâtel mountains.

A "disaster"

Dominique Bünzli, president of the Société Nationale de Médecine de Neuchâtel (SNM), said at 12:30 p.m. that what happened was "a catastrophe. He did not have details yet, but said that if it is indeed confirmed that the data has been stolen, they will have to inform their patients in a completely transparent way.

Earlier this month, the SNM president sent a warning letter calling on members to take immediate action after colleagues informed him that the medical society had been the victim of a cyber attack.

Cybersecurity hardening

Dominique Bünzli explained that work is underway to strengthen IT security in medical practices. The Swiss Medical Association (FMH) has also issued several recommendations for cybersecurity hardening practices.