Multimedica is an Italian company responsible for the healthcare activities carried out in facilities such as the San Giuseppe Hospital in Milan and the Irccs Multimedica in Sesto San Giovanni. It was the subject of a data breach by the LockBit collective, let’s find out more.
Chronology of events
- 21-22April: data breach
- 26 April: LockBit uploads material online
- 29 April: the Multimedica S.p.A. website is back online, albeit with a‘Service temporarily available‘ warning
- 30 April: LockBit releases the exfiltrated material to the public because the ransom has not been paid
- 13 May: the restoration of the majority of services is confirmed.
About Multimedica S.p.A.
The following information was acquired from the Multimedica Group’s LinkedIn page.
Founded in 1986, the MultiMedica Group has almost 30 years of experience in the Italian healthcare world. Its inpatient and outpatient facilities offer 823 beds, 20 cots, 60 dialysis posts, 213 outpatient clinics, 20 operating theatres, 1 Emergency Department and 1 DEA Emergency Department. Over 2,000 people are employed in both medical and scientific fields. In 2014, patients were admitted to its facilities for a total of approximately 162 thousand inpatient days and more than 27 thousand operations were performed. 147 training courses were held for over 18 thousand hours of internal and over 6 thousand external training. The Group employs 170 professionals engaged in Research activities, which in 2014 produced 241 publications for a total of 908 IFN points, of which 680.5 referred to the IRCCS MultiMedica cardiovascular research area alone.
The VAT number of the company Multimedica SpA was opened on 26/10/2009, according to data from the Agenzia delle Entrate (Inland Revenue Agency), in 2021 it had a turnover of € 215,864,195.00, with 1868 employees on board in 2023 (data obtained from the portal ufficiocamerale.it). We are therefore talking about a solid, competent company, in the territory for many highs if we count the date of foundation (but also just the formal date of opening the VAT number). Finally, on the official portal we read a further description which is given here for completeness.
The MultiMedica Group, with its 30 years of experience, is one of Italy's leading representatives of accredited private healthcare, the flagship of our country. It consists of an Institute for Hospitalization and Treatment with Scientific Character (IRCCS) with a cardiovascular focus, a classified hospital and teaching centre of the University of Milan, two multi-specialist hospitals, an outpatient centre, a laboratory medicine centre, a Science and Technology Centre dedicated to research in the life-science area, and a Research Centre active in the field of recombinant protein therapeutics and biosimilar drugs. Finally, completing the Group's activities is the MultiMedica ONLUS Foundation, which promotes and supports scientific research and professional and cultural training in the health sector.
Structures
The facilities that are part of Multimedica S.p.A. and can be found on the portal are:
- I.R.C.S.: is a multi-specialist hospital recognised by the Ministry of Health as a Scientific Hospitalization and Treatment Institute for the discipline ‘Diseases of the Cardiovascular System’, also including the basic research activities carried out in the MultiMedica Scientific and Technological Pole (PST) in Milan.
- San Giuseppe Hospital: located in the centre of Milan, the San Giuseppe Hospital is a university campus of the University of Milan. It is organised into three departments: medical, surgical and maternal-child. The latter area, in particular, has become a reference point for the city of Milan.
- MultiMedica Hospital in Castellanza: it is a point of reference in the Varese area for all medical and surgical specialities. The area of excellence of this facility, however, is both Cardiological Rehabilitation, an integral part of the Cardiovascular Department, and Neuromotor Rehabilitation.
- MultiMedica Hospital in Limbiate (formerly Villa Bianca): this is the Group’s ‘historic’ hospital. Immersed in the Parco delle Groane, it is only 14 km from Milan and boasts a hospital tradition of more than 50 years. It specialises in intensive rehabilitation for the most complex pathologies such as polytrauma and severe cerebrovascular lesions and for coma patients.
- Polo Scientifico e Tecnologico MultiMedica (PST): in its 10,000 square metres in the south of Milan, it houses the research laboratories of the IRCCS MultiMedica, the MultiLab, i.e. MultiMedica’s Department of Laboratory Medicine and Pathological Anatomy, the Cadaver Laboratory and the Group’s Biobank.
- MultiMedica CadaverLaboratory: within its Scientific and Technological Pole, the MultiMedica Group has implemented one of the most innovative spaces, both nationally and internationally, for dissection and the study of human anatomy in its entirety. It is called MARC (Milan Anatomical Research Centre) and is the first Cadaver Laboratory opened in Lombardy.
- MultiMedica Multispecialist Outpatient Clinic: a multi-specialist outpatient clinic in the centre of Milan. Equipped with the most modern diagnostic instruments, it is able to respond to the most varied health requirements, from the blood test point, to physiatrics, to radiology with a focus of excellence in the field of senology.
- MultiMedica Group Dialysis Centre: opened in 2008 at the Pio Albergo Trivulzio, it was the first to be located within a Social Welfare Residence for the Elderly.
- MultiLab – MultiMedica Centre for Laboratory Medicine and Pathological Anatomy: includes Laboratory Medicine and Pathological Anatomy. The two units are divided into different areas: Allergology, Autoimmunity, Clinical Chemistry, Haematology and Coagulation, Microbiology, Clinical Research, Serology, Toxicology, Histology, Cytology, Molecular Biology, Immunohistochemistry.
What happened
Multimedica, according to Corriere della Sera, suffered two data breaches in succession: the events occurred between 21 and 22 April 2023 and compromised most of the systems, interrupting outpatient and emergency room activities and the collection of referrals. This resulted in the interruption of patient admissions in emergency rooms and the diversion of ambulances to other facilities. There is a very well written article by Chiara Crescenzi of Wired summarising the events.
On the night of 21-22 April, Multimedica’s official website suddenly became unreachable, and the Lombardy Region’s ‘Salutile’ app suddenly stopped providing real-time updates on patient care activities in local health facilities. The reason? ‘Internal computer problems’, the group first reported, which then admitted that it had fallen victim to a cyber-attack that caused ‘congestion’ in the activity of the connected facilities. For the entire weekend, therefore, ambulance access to the emergency departments was blocked, only paper medical records were worked on, and patients were discharged as possible.
Source: Wired(LINK)
The author of the data breach is the LockBit collective, whose victims include Multimedica, and the deadline for paying the ransom is 30 April 2023 at 22:44:32 UTC. Immediately, as is customary, somesample files were published of the content found by the hackers from the exfiltration carried out against Multimedica.
These are heterogeneous data: identity documents, financial data, diagnostic reports on patients, which at the moment represent only a small amount of the stolen material.
Initial misunderstandings
Many wondered what had happened to Multimedica in the hours immediately following the disruptions: some speculated a DDoS attack as it was the web portal that was unreachable.
In fact, the initial disorientation was caused by the delay in claiming the attack; the stolen material was uploaded on 26 April 2023 at 22:44 UTC by LockBit. It is normal that some time may pass between the data breach and the publication of the material on the hackers’ portal, it is (we might say) physiological.
The LockBit collective
As previously written, the attack was claimed by the LockBit collective. The LockBit hackers are based in the Netherlands and proclaim themselves to be apolitical and only interested in money. A brief description can be extracted from the LockBit manifesto.
We are located in the Netherlands, completely apolitical and only interested in money. We always have an unlimited amount of affiliates, enough space for all professionals. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year. First and foremost, we’re looking for cohesive and experienced teams of pentestors. In the second turn we are ready to work with access providers: sale or on a percentage of redemption, but you have to trust us completely. We provide a completely transparent process – you can control the communication with the victim. In case when the company was encrypted and has not paid, you will see the stolen data in the blog. We also work with those who don’t encrypt networks, but just want to sell the stolen data, posting it on the largest blog on the planet.
The automatically performed translation returns the following content:
We are located in the Netherlands, completely apolitical and only interested in money. We always have an unlimited number of affiliates, enough space for all professionals. No matter what country you live in, what language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year. First, we look for cohesive and experienced pentestor teams. In the second round, we are ready to work with access providers: sell or on a percentage redemption basis, but you have to trust us completely. We provide a completely transparent process: you can control the communication with the victim. In the event that the company was encrypted and did not pay, you will see the stolen data in the blog. We also work with those who do not encrypt networks, but just want to sell the stolen data, publishing it on the biggest blog on the planet.
Communications from Multimedica
On 25 April 2023, a press note posted on Facebook at 22:28 reads as follows:
Second computer attack at MultiMedica: only obstetrics, dialysis, rehabilitation, chemotherapy, nuclear medicine, ADI and inpatient services guaranteed MultiMedica informs those concerned that it has suffered a second hacker attack on its computer systems. After the first attack on the night of Friday 21 to Saturday 22 April, the facility had promptly set up a task force, consisting of internal and external professionals, and was working to provide continuity of clinical and care activities, when it was the victim of a second attack. In light of the current situation, MultiMedica is advising its users that all outpatient activities, emergency room activities and the collection of reports are suspended. MultiMedica will directly contact patients already on note who may be admitted. Operational updates will follow. The company, which is cooperating with the Postal Police, is unable to say when all operations will be back to normal.
On 26 April 2023, the Multimedica group published a further notice on Facebook, in which it also referred to a TGR Lombardia video on YouTube, which can be found here.
The website of Multimedica S.p.A.
The company’s web portal was offline for several days. Using a script, a check was carried out to detect its eventual restoration, which, according to the tracing, took place on 30/04/2023 between 14:53:04 and 14:57:05, as shown in the following screenshot.
Once back online, albeit with a ‘service temporarily available’ screen, it could be seen that the web server is NGINX-based at version 1.20.1 (released on 25 May 2021) as per the officialchangelog. The version information was confirmed by the WhatCMS service as shown in the photograph below. The latest version of NGINX is 1.24.0, released on 11 April 2023.
If the version claimed by WhatCMS is confirmed, Multimedica is preparing to perform a website restoration based on a web server that is almost two years old.
Analysis of findings
What can immediately be seen from the sample files the hackers published is the great diversity of data and information they accessed: identity documents, medical records, health care bills, financial balance sheets.
At 19:16 on 1 May 2023, the web pages that the LockBit collective exhibits have an error.
UNTIL 3 May at 11:00 p.m., the TOR page of the LockBIt group, although it opened, could not properly display the results of the data breach. This made it impossible to examine the findings, which, by the way, are not even present at the address dedicated to containing all leaks obtained from the data breach.
Updates
Update of 15 May 2023
An article on 13 May in Malpensa24 reads:
As of today, Saturday 13 May, it will again be possible to book outpatient services through the contact centre by calling 02-86.87.88.89 (SSN) and 02- 999.61.999 (Solvents/Funds and Insurance), or by going to the Group’s various facilities.
Source: Malpensa 24 ‘Castellanza, hacker attack on MultiMedica defeated: back to normal’(LINK)
As of today’s date (15/05/2023 – 3.40 p.m.), there are still problems with the web portal. The same article mentioned that the site would be restored at a later date.
Technicians are finalising the restoration of the company’s website, which will be operational again as soon as possible.
Source: Malpensa 24 ‘Castellanza, hacker attack on MultiMedica defeated: back to normal’ (LINK)
