{ "id": "d88ce45e-3f38-44ea-8cb7-1215f4d2c064", "created_at": "2026-04-06T03:37:38.692995Z", "updated_at": "2026-04-10T13:11:20.138943Z", "deleted_at": null, "sha1_hash": "5e360523c6b36928b8245aad571ec29f157735f8", "title": "Capital Health attack claimed by LockBit ransomware, risk of data leak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3267604, "plain_text": "Capital Health attack claimed by LockBit ransomware, risk of data leak\r\nBy Bill Toulas\r\nPublished: 2024-01-08 · Archived: 2026-04-06 03:18:13 UTC\r\nThe LockBit ransomware operation has claimed responsibility for a November 2023 cyberattack on the Capital Health\r\nhospital network and threatens to leak stolen data and negotiation chats by tomorrow.\r\nCapital Health is a primary healthcare service provider in New Jersey and parts of Pennsylvania, operating two major\r\nhospitals and several satellite and specialty clinics.\r\nLast November, the organization experienced an IT systems outage following a cyberattack on its network, warning that the\r\nincident would impact its operations for at least a week.\r\nhttps://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nA security incident notification on the Capital Health website informs that all systems have been restored and operations\r\nhave returned to normal, while additional security measures have been implemented to prevent similar incidents from re-occurring.\r\nCapital Health's latest updates indicate they are still investigating whether data was stolen in the cyberattack.\r\nLockBit claims attack on Capital Health\r\nThe LockBit ransomware gang has now claimed responsibility for the attack on Capital Health by listing the healthcare\r\ncompany on its data leak extortion portal yesterday.\r\nMoreover, the cybercriminals allege to have stolen seven terabytes of sensitive medical data they threaten to leak tomorrow\r\nif the organization fails to meet their ransom payment demands.\r\nLockBit has an affiliate rule that states their affiliates (hackers) will not encrypt files on hospital networks but allow them to\r\nsteal data for extortion.\r\nWhile this policy has been broken numerous times by the operation's affiliates, in the attack on Capital Health, the LockBit\r\noperation says they purposely avoided encrypting the organization's files and instead only stole data.\r\n\"We purposely didn't encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files,\" the\r\nransomware gang stated on their data leak site.\r\nMost ransomware groups tend to have strict policies regarding healthcare service providers, advising their affiliates not to\r\nperform such assaults for ethical reasons and banning them if they deviate from that instruction.\r\nHowever, the LockBit operation has repeatedly targeted healthcare networks, including the SickKids children's cancer\r\nhospital, the Katholische Hospitalvereinigung Ostwestfalen (KHO) in Germany, and the Carthage Area Hospital and\r\nClaxton-Hepburn Medical Center in upstate New York.\r\nIt should be noted that the LockBit operators claim that they are not behind the attack on KHO, but rather its another\r\nransomware gang who used their leaked ransomware builder. BleepingComputer has not been able to independently verify\r\nhttps://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/\r\nPage 3 of 4\n\nthese claims.\r\nIf LockBit and other cybercrime gangs continue to follow a pure data-theft approach, extorting hospital operators without\r\ntouching infrastructure would create a false sense of \"harmless\" cyberattacks.\r\nEncryption-less ransomware attacks can still lead to system outages as part of the victim's response action, catastrophic data\r\nbreaches for many people who received care in the targeted hospitals, and significant financial losses for already\r\nunderfunded or economically stressed institutions.\r\nUnfortunately, recent examples of high-impact ransomware attacks in the healthcare sector are abundant, including other\r\nvictims, such as Ardent Health Services, Integris Health, ESO Solutions, and the Fred Hutchinson Cancer Center (Fred\r\nHutch).\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/\r\nhttps://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/" ], "report_names": [ "capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446658, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e360523c6b36928b8245aad571ec29f157735f8.pdf", "text": "https://archive.orkl.eu/5e360523c6b36928b8245aad571ec29f157735f8.txt", "img": "https://archive.orkl.eu/5e360523c6b36928b8245aad571ec29f157735f8.jpg" } }