Healthcare Under Attack: MedusaLocker Ransomware Hits 23 Hospitals
6 min readCRITICAL URGENCY
Executive Summary
Ransomware gang targets 23 hospitals across Midwest with coordinated attack disrupting patient care. Critical vulnerability discovered in Epic EHR web portal affecting 250+ healthcare organizations. HIPAA enforcement action announced against healthcare provider for unpatched systems leading to breach.
⚡ Bottom line: Healthcare organizations must immediately verify VPN patch status and Epic MyChart security.
A coordinated MedusaLocker ransomware campaign has struck 23 hospitals across six Midwest states, encrypting electronic health records and medical imaging systems. Several hospitals have diverted ambulances and canceled surgeries. The attack exploited unpatched VPN appliances and spread via Active Directory.
Patient lives at risk: When EHR systems go down, clinical staff lose access to medication lists, allergies, and treatment histories. Errors can be fatal.
How to Protect Yourself — Action Items
Verify all VPN appliances are patched (Fortinet, Pulse, Cisco)
Implement network segmentation for clinical systems
A critical authentication bypass in Epic MyChart patient portal allows attackers to access any patient's medical records using only their date of birth and a predictable identifier. Estimated 250+ healthcare organizations using vulnerable versions.
Worst Case Scenario
📋
Medical Record Access
Unauthorized access to patient medical histories.
🆔
Identity Theft
PHI theft for identity fraud and insurance scams.
💊
Data Modification
Modification of medication lists and allergies — potentially deadly.
📜
Compliance Impact
HIPAA breach notification requirements triggered.
How to Protect Yourself — Action Items
Apply Epic emergency patch (EpicCare Link 2026.1.3)
Enable multi-factor authentication for MyChart
Review MyChart access logs for suspicious patterns
Implement CAPTCHA for login attempts
Notify patients if unauthorized access detected
💉
Urgent
Medical Device Vulnerabilities: Infusion Pumps
Why It Matters
CISA and FDA issued joint advisory on vulnerabilities in Baxter and B. Braun infusion pumps allowing remote attackers to modify dosing parameters. Healthcare facilities must balance patching urgency with clinical workflow disruption.
How to Protect Yourself — Action Items
Inventory all connected infusion pumps
Segment medical device networks from IT networks
Apply vendor patches during maintenance windows
Implement wireless intrusion detection for clinical VLANs
Enable pump dose limit alerts as safety backstop
⚖️
Enforcement
HIPAA Enforcement: $4.8M Penalty for Unpatched Systems
Why It Matters
HHS OCR announced a $4.8M settlement with a regional health system after ransomware attack exploited systems unpatched for 18+ months. Enforcement action signals increased regulatory focus on patch management in healthcare.
How to Protect Yourself — Action Items
Document patch management procedures
Implement 30-day patching SLA for critical vulnerabilities
Conduct risk assessment for legacy systems
Maintain evidence of patching for compliance audits
Review cyber insurance coverage for regulatory fines
🎣
High
Healthcare Phishing: Credential Harvesting Surge
Why It Matters
Phishing campaigns targeting healthcare workers increased 180% in January, exploiting COVID-19 variant fears, benefits enrollment, and fake IT support requests. Compromised credentials often lead to EHR access and data theft.
How to Protect Yourself — Action Items
Deploy phishing-resistant MFA (FIDO2/WebAuthn)
Conduct healthcare-specific phishing simulations
Implement email filtering with healthcare IOCs
Enable suspicious login alerts for EHR access
Train staff on current healthcare phishing lures
Run a KENSAI scan now to see if your healthcare systems are affected