consulting radiologists qilin ransomware
Qilin’s claim.

Minnesota-based Consulting Radiologists over the weekend notified 511,947 people of a February 12, 2024 data breach that compromised names, Social Security numbers, addresses, dates of birth, health insurance information, and medical information.

The attack took down the large radiology practice’s phone system and required some healthcare providers to divert patients elsewhere or rely on in-house imaging services. Consulting Radiologists disclosed it didn’t discover the breach until April 17, 2024.

On April 27, 2024, two ransomware groups claimed responsibility for the attack: Qilin and LockBit. Qilin claimed to steal 94,667 files, or 70 GB of data. The fact that two groups claimed this attack likely means they exploited the same vulnerability.

consulting radiologists lockbit ransomware
LockBit’s claim

We do not yet know how much ransom was demanded, whether Consulting Radiologists has or will pay it, how attackers breached Consulting Radiologists’ network. Comparitech contacted Consulting Radiologists for comment and will update this article if it responds.

We recommend victims take advantage of the free credit monitoring offered by Consulting Radiologists via Cyberscout.

Who is LockBit?

LockBit is one of the most active ransomware groups of the last couple of years. Most likely based out of Russia, it often extorts victims twice: once for a decryption key to unlock affected systems, and again in exchange for not selling or publicly releasing stolen data.

We’ve logged 17 confirmed attacks by LockBit this year so far (excluding Consulting Radiologists). LockBit was behind recent attacks on Ernest Health (affecting 94,747 records) and Mālama I Ke Ola Health Center.

We have further tracked 146 unconfirmed attacks via LockBit in the US this year so far, including 12 healthcare companies.

Who is Qilin?

Qilin, also known as Agenda, is a Russia-based hacking group that mainly targets victims through phishing emails to spread its ransomware. It launched in August 2022 and also offers ransomware-as-a-service to third parties. Its attacks usually involve double extortion, in which Qilin demands payment to decrypt files encrypted by its ransomware, as well as a second payment in exchange for not releasing or selling stolen data.

Comparitech has logged two other confirmed attacks by Qilin so far this year. Both were food and beverage companies: Holstein Association USA, Inc. and Edlong Corporation.

We further tracked 26 unconfirmed attacks claimed by Qilin in the US this year so far, including two healthcare companies.

Ransomware attacks on US healthcare

Hospitals, clinics, and other healthcare-related organizations are frequent targets for ransomware attacks. Ransomware can disrupt key systems used for payment, making appointments, storing patient information, and more. Hospitals and clinics might be forced to cancel appointments and divert patients elsewhere, or resort to pen and paper until systems are restored.

Comparitech recorded 33 confirmed ransomware attacks on US healthcare organizations so far this year, affecting 2,027,162 records. The attack on Consulting Radiologists is the second largest (by records affected) this year, beaten only by Group Health Cooperative of South Central Wisconsin with 533,809 records affected.

We’ve also tracked 80 unconfirmed attacks on US healthcare organizations this year so far.

About Consulting Radiologists

Consulting Radiologists is a Minnesota-based chain of medical imaging centers. Many hospitals and clinics in the region outsource their medical imaging services to Consulting Radiologists. It employs more than 75 physicians, servers thousands of patients, and operates more than 26 on-site locations.