The “San Raffaele” hospital in Milan, Italy, has suffered a catastrophic cyberattack that also involved the stealing of sensitive data belonging to patients, doctors, nurses, and various employees working there. The data breach went unnoticed for two days now. However, the Twitter user “LulzSecITA” disclosed the event on the social media platform, asking the hospital’s management if they had already informed the Italian data protection officer as they should. However, the hospital failed to respond to these tweets, forcing the anonymous activist to publish screenshots of the stolen data, and then the local media noticed.
https://twitter.com/LulzSec_ITA/status/1263370997937451009
This compelled the San Raffaele management to finally issue an official announcement on the matter, which goes as follows:
“The situation to which reference is made, reported by an unreliable source, refers to an attempted intrusion which took place months ago which did not entail access to any sensitive data. The names of many operators are public for service reasons and the information published relates to an application dedicated to online training that has been abandoned for years with equally obsolete and abandoned users and access passwords – and that the hospital management – is already in contact with the competent bodies to provide any useful clarification.”
So, the hospital’s official stance is that this data is not valuable at all, as it concerns old and obsolete accounts that have been abandoned. Their response irritated the activist even more, so he/she went on to publish patient data, which admittedly never gets obsolete and cannot be considered unimportant. The user also threatened to publish even more data if the Milan-based hospital didn’t finally admit what happened and inform the affected individuals.
As it seems from the leaked data, the details that have been exposed include names, tax codes, email accounts, usernames, and passwords. Right now, we don’t know if this is the result of a ransomware attack that resulted in the stolen data ending up on the dark web. Potentially, the activist who posts on Twitter could have found a vulnerability in the IT systems of San Raffaele, and took the matter on social media instead of simply reporting it to the hospital. Or maybe the reports went unnoticed, and the activist felt forced to seek attention-grabbing publicity.
We expect the Twitter user to return with more revelations considering he/she is using the “StayTuned“ hashtag, so we are bound to learn more about what happened at the San Raffaele hospital soon. One thing that we can already comment on is the fact that the hospital has failed to follow proper security practices by storing account credentials in plaintext form on its systems. Moreover, they did not inform the authorities about any breaches within 72 hours - as the GDPR law obliged them. They also failed to respond to the allegations even after data samples started appearing online.