Another data breach to the detriment of public health has hit the Lombardy region, this time it is the turn of ASST Rhodense, let’s try to understand what happened.
What happened
The data breach caused by the Cicada3301 collective was noticed as early as the evening of 5 June 2024, according to what Asst general director Marco Bosio told Corriere della Sera Milan edition. Those affected were, to be precise:
- The Garbagnate hospital
- Bollate Hospital
- The Rho hospital
- The headmasters of Passirana
- Community houses
- Consultants linked to hospitals
- The Rsa Pertini
This is a vast and densely populated area on the outskirts of Milan, and therefore the amount of data stolen could be very large indeed. In order to understand the location of the main locations affected by the data breach, a map is given below.
As of the evening of Wednesday, 5 June 2024, problems began to be experienced with the information system, which, according to the ASST Director’s initial statement, led to a reorganisation of the structures’ activities. As of the current date (07/06/2024 14:21), the ASST web portal is not functioning (https://www.asst-rhodense.it/). From the interview with the Director General, we learn that‘the information systems are not available, they are blocked‘, which suggests that a ransomware attack is behind the malfunction, although this has not yet been clarified.
The disruptions currently caused by the data breach can be summarised as follows:
- Ambulances were diverted to other departments, resulting in a reduced influx to the emergency room.
- Computerised procedures have been replaced by paper-based ones, which has slowed down the processing of procedures.
- Non-urgent surgeries suspended.
- Outpatient activity reduced to that which can actually be performed.
- MOC examinations not guaranteed
- CT examinations not guaranteed.
- Testing laboratory not functioning.
- Resonances not guaranteed.
- Mammograms not guaranteed.
- X-rays not guaranteed.
- Reservations at Cups suspended.
- Planned hospitalisation suspended.
- The activity of the pick-up points was suspended.
Many of the diagnostic activities require computer systems that are networked and therefore potentially exposed to the incident.
About ARIA S.p.A.
As we read on the company’s official website,‘Aria S.p.A. was created from the merger of the four Region of Lombardy companies with total public participation. The story can be reconstructed briefly as follows:
- 1981 – Lombardy Informatica is born
- 2003 – Infrastrutture Lombarde (ILSpA) is founded
- 2014 – Arca Lombardia is born
- 2019 – ARIA S.p.A. is established (from the merger of Arca and ILSpA)
- 2022 – Explora is merged into Aria S.p.A.
In the health sector, ARIA S.p.A. carries out a number of very important activities, which the site effectively summarises as follows:
ARIA is responsible, on behalf of the Lombardy Region, for the construction of new hospital facilities or the reorganisation of existing ones, distributed throughout the entire regional territory, which together provide Lombardy’s citizens with thousands of beds, new outpatient clinics and operating theatres.
It is therefore natural that immediately after the IT incident, the Lombardy Region turned to ARIA S.p.A. for guarantees on the restoration of systems and services.
While waiting for the main developments on the matter, it remains interesting what the Director General himself stated‘it is not possible to estimate the restoration time‘, which should not happen according to AgID’s service level requirements.
On 24 June 2024, the editorial Red Hot Cyber published an interview with the Cicada3301 collective in which the hackers claimed that the dwell-time in the systems of the ASST Rhodense was approximately one year.
Chronology of events
- 05/06/2024: start of problems within the information system.
- 07/06/2024: Inefficiencies continue, partial restoration of telephones, website not working.
- 09/06/2024: Inefficiencies continue, website not working.
- 12/06/2024: the web portal appears again, albeit in a provisional form.
- 20/06/2024: Hackers from the cicada3301 collective release data stolen from the ASST
- 13/08/2024: the web portal continues to be in provisional form
Summary sheet
Updates
07/06/2024 – 23:04 – Disruptions and partial restoration of telephones
The telephone lines were partially restored during the day, but the ASST’s web portal continues to be unavailable and has not even been replaced by a temporary page to alert users. At the moment, the cause of the incident is unclear: there has not yet been any ransom demand typical of ransomware attacks.
Milano Today, in an article of 07 June 2024 18:33 entitled‘Asst Rhodense hacker attack, phones are working again‘ reported a statement by the Lombardy Region:
The IT services of healthcare facilities using the Aria Data Centre, which were interrupted last night due to a disruption in the regional technology infrastructure, have been restored. Hospital activities continued regularly without any interruptions
Source: Milano Today (Link)
08/06/2024 – 08:00 – Website still not restored
The ASST portal is still not accessible, nor has an information message of any kind been put in its place.
09/06/2024 – 10:00 – Website still not restored
The ASST portal is still not reachable, and no information message continues to appear in its place. This is not a technical difficulty and is unacceptable in the sensitive context of a health data incident.
12/06/2024 – 18:05 Website being restored
The ASST Rhodense portal appears online again at around 18:05 on 12/06/2024, albeit in a decidedly provisional form.
13/06/2024 – Notice to users
A written notice from the ASST was published on 13/06/2024 in the communications section.
13/06/2024
UPDATE REGARDING THE ATTACK ON THE COMPANY COMPUTER NETWORK
We would like to inform you that currently the company telephone network has been almost entirely restored and the company switchboard is up and running and can be contacted on 02.994301.
The provision of scheduled outpatient services is guaranteed, including nuclear medicine and, partially, radiology services. Scheduled surgeries are also gradually being reactivated. The Emergency Departments remain active and receive patients who present themselves and certain types of emergencies sent by AREU by ambulance.
Laboratory analysis services, booking activities at the company's CUPs and at the Intake Points are still suspended (TAO patients can turn to the reception of the Bollate, Garbagnate and Rho Hospital Centres for information on how to perform the examinations required for therapy management).
The technicians are working to ensure the resumption of all activities, but unfortunately it is not yet possible to define the timeframe for the restoration of the entire IT infrastructure.
The Management would like to thank all those who are cooperating in the management of the problem and the citizens and patients for understanding the complexity of the situation.
No indication is given as to the nature of the attack and all notices start on 13/06/2024. There are no previous notices published in the section.
18/06/2024 – Communications Update
A further update of the temporary communication area was published today.
20/06/2024 – The cicada3301 collective claims attack on ASST Rhodense
As reported by the famous Ransomfeed platform, on 19/06/2024, the cicada3301 collective claimed an attack on the ASST Rhodense. The hackers published 15 packages containing the data stolen from the ASST, the contents of which thus became public knowledge. It is worth noting that this collective has only 4 attacks to its credit, the only Italian one at the moment being that of the ASST Rhodense.
Among the data stolen and shown in the examples are personal data processing forms, copies of identity documents, fitness-for-work reports, medication delivery notes, and even a screenshot of the file system that (again) holds health data. This system, as has been explained on several occasions, is not suitable for holding and processing health data. The ASST Rhodense also proves to be not up to the task of managing the personal data of its patients.
20/06/2024 – The ASST publishes a notice on its portal
In order to deal with the problems caused by the attack on the company’s IT network, which occurred on 6 June 2024, the company immediately worked and is continuing to work tirelessly to rebuild the entire infrastructure and to be able to reactivate all the services for citizens as soon as possible, whom we thank for understanding the complexity of the situation. We would like to inform you that from Friday 21 June onwards, booking activities will resume at the company’s facilities and that, from Monday 24 June, activities at the Hospital Pick-up Points (Bollate, Garbagnate, Passirana and Rho) will resume. Information on the gradual reactivation of the Territorial Blood Collection Points, scheduled for next week, will be communicated as soon as possible. It is confirmed that the ASST is guaranteeing the provision of all outpatient services already scheduled, including those of nuclear medicine and radiology and scheduled surgeries. The Garbagnate and Rho Accident and Emergency Departments are active. Outpatient services and admissions suspended due to the attack on the company computer network will be rescheduled: citizens will be contacted by ASST personnel, who will provide any instructions. The reports of the services provided up to 6 June 2024 can be collected from the “Pick up reports” services operating at the company facilities, presenting the paper documentation issued by ASST Rhodense when the examination was performed. For enquiries you can contact the ASST Rhodense Public Relations Office (URP) on 02.994301814.
Below is the official screenshot.
27/06/2024 – ASST publishes further news update
30/06/2024 – Still no news
The ASST Rhodense portal continues to appear in its ‘provisional’ guise despite 25 days having passed since the attack. The complete failure to comply with the timeframes laid down by AgID in the SLAs should make one reflect on the actual awareness of the data and systems held, managed and processed by the ASST. Having said this, it should be noted that the ‘Communications’ section is regularly updated with useful notices to users.
13/07/2024 – Failure to restore web services
From 6 June to today, 37 days have passed and the ASST Rhodense web portal still appears in its temporary guise as shown below, from the last notice which is dated 08/07/2024. We continue to monitor the situation.
23/07/2024 – Failure to restore web services
ASST Rhodense remains with the temporary portal, which continues to be updated, thus extending the service restoration time (RTO) well beyond the periods stipulated by the AgID SLAs.
13/08/2024 – Failure to restore web services
After 69 days since the inefficiencies began, the ASST Rhodense portal continues to be in provisional form.
22/08/2024 – New web portal online
Finally, after more than 70 days, the new ASST Rhodense portal is online.
