{ "id": "9d320d1c-2305-4302-858e-1c4be64433b6", "created_at": "2026-04-06T00:18:29.634292Z", "updated_at": "2026-04-10T03:29:40.040084Z", "deleted_at": null, "sha1_hash": "c2cfe60bb82e25bca1622cf08d1e2fb5fd582dcf", "title": "Pennsylvania Health System CEO Confirms BlackCat Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 117746, "plain_text": "Pennsylvania Health System CEO Confirms BlackCat Attack\r\nBy Marianne Kolbasuk McGee\r\nArchived: 2026-04-05 22:52:53 UTC\r\nFraud Management \u0026 Cybercrime , Healthcare , Industry Specific\r\nPhysician Practices Network Hit by Russian-Backed Group on Heels of National Alert (HealthInfoSec) • February\r\n21, 2023    \r\nLehigh Valley Health Network, which operates 13 hospitals and numerous physician practices and clinics in\r\neastern Pennsylvania, says it has been hit with an attack by Russian-based ransomware-as-a-service group\r\nBlackCat.\r\nSee Also: AI Pushes Cyberattacks to New Speed Levels\r\nBrian Nester, president and CEO of the network, in a statement provided to Information Security Media Group on\r\nTuesday, says that the attack so far has not disrupted the health network's operations.\r\n\"Based on our initial analysis, the attack was on the network supporting one physician practice located in\r\nLackawanna County. We take this very seriously and protecting the data security and privacy of our patients,\r\nphysicians and staff is critical.\"\r\nThe group's IT team on Feb. 6 detected unauthorized activity within its IT system, Nester says. The organization\r\nimmediately launched an investigation, engaged leading cybersecurity firms and notified law enforcement, he\r\nhttps://www.bankinfosecurity.com/pennsylvania-health-system-ceo-confirms-blackcat-attack-a-21279\r\nPage 1 of 3\n\nsays. \"We are continuing to work with our experts to investigate the scope of the incident, and as of today, we\r\ncontinue to operate normally.\"\r\nLVHN's investigation is ongoing, but its initial analysis shows that the incident involved a computer system used\r\nfor \"clinically appropriate patient images for radiation oncology treatment and other sensitive information,\" he\r\nsays.\r\n\"BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise. We understand that\r\nBlackCat has targeted other organizations in the academic and healthcare sectors,\" Nester says.\r\n\"We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will\r\nprovide notices to individuals as required as soon as possible,\" he adds. \"Attacks like this are reprehensible and we\r\nare dedicating appropriate resources to respond to this incident.\"\r\nA LVHN spokesman declined ISMG's request for additional details about the BlackCat incident, including the\r\namount of the ransom demanded.\r\nOther Attacks\r\nLVHN is among the latest alleged healthcare sector victims of BlackCat, which is also known as Alphv.\r\nLast month, electronic health records vendor NextGen Health and pharmacy management services firm\r\nPharmaCare Services were purportedly among healthcare sector victims listed on BlackCat's leak data site (see: 2\r\nVendors Among BlackCat's Alleged Recent Ransomware Victims).\r\nThese latest BlackCat incidents come on the heels of a recent U.S. Department of Health and Human Services\r\nwarning to the healthcare sector about threats involving the cybercrime group (see: BlackCat, Royal Among Most\r\nhttps://www.bankinfosecurity.com/pennsylvania-health-system-ceo-confirms-blackcat-attack-a-21279\r\nPage 2 of 3\n\nWorrisome Threats to Healthcare).\r\nThe BlackCat ransomware-as-a-service group has demanded ransom payments as high as $1.5 million, and\r\naffiliates keep 80% to 90% of the extortion payments, according to the HHS alert. \"BlackCat tooling is constantly\r\nchanging as they cycle through testing/usage, updating their arsenal frequently,\" the alert says.\r\nWhile details of the LVHN attack by BlackCat are just emerging, the incident underscores important\r\nconsiderations for other healthcare sector entities, says Frank Catucci, chief technology officer and head of\r\nresearch at security firm Invicti Security.\r\n\"Organizations need to be hyper aware of their legacy systems and focus on increasing their cyber resiliency,\"\r\nCatucci says. \"As healthcare organizations continue to modernize legacy systems, including the shift from on-premise solutions to cloud-based solutions, they need to be prepared to monitor and manage their increasingly\r\ncomplex IT infrastructure. This entails developing an inventory of their rapidly changing environments and\r\nsystems, as you can't protect what you don't know exists in the first place.\"\r\nSource: https://www.bankinfosecurity.com/pennsylvania-health-system-ceo-confirms-blackcat-attack-a-21279\r\nhttps://www.bankinfosecurity.com/pennsylvania-health-system-ceo-confirms-blackcat-attack-a-21279\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bankinfosecurity.com/pennsylvania-health-system-ceo-confirms-blackcat-attack-a-21279" ], "report_names": [ "pennsylvania-health-system-ceo-confirms-blackcat-attack-a-21279" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434709, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2cfe60bb82e25bca1622cf08d1e2fb5fd582dcf.pdf", "text": "https://archive.orkl.eu/c2cfe60bb82e25bca1622cf08d1e2fb5fd582dcf.txt", "img": "https://archive.orkl.eu/c2cfe60bb82e25bca1622cf08d1e2fb5fd582dcf.jpg" } }