Palau health ministry on the mend after Qilin ransomware attack

The health ministry of the Pacific island nation of Palau has recovered from a ransomware attack launched by a gang known for targeting prominent healthcare institutions. 

Palau officials told Recorded Future News that the February 17 ransomware attack launched by hackers connected to a group named Qilin allowed the infiltrators to steal files from IT systems used by the Ministry of Health and Human Services (MHHS).

The ministry runs Belau National Hospital, an 80-bed facility that serves the country’s nearly 20,000 residents spread across hundreds of islands.

MHHS said Palauans “have been the victims of a heinous crime by greedy cyber criminals that has put our ability to provide critical medical care and lifesaving emergency services at risk.”

Government officials isolated the incident and were able to return hospital operations to normal within 48 hours thanks to help from Palauan and Australian cybersecurity IT experts as well as officials from the Ministry of Finance.

A U.S. Cyber Command “defend forward” team is now on-site conducting forensics collection and analysis, according to Palau officials. 

Qilin actors threatened to release the data they stole but Palau officials said no attempt to negotiate a ransom was made and there was no other direct communication beyond the note. 

The group published some of the stolen information on Friday. In a statement, the Health Ministry confirmed that patient data was compromised as result of the cyberattack and may include billing summaries for Belau National Hospital patients between from 2018 to 2022. Personal information like names, addresses, phone numbers and data on diagnoses and procedures were likely exposed. 

“Based on the kind of information that has been stolen, MHHS and its cyber advisors do not perceive any significant impact to the security of individual Palauans,” officials said. “However, MHHS recommends that all Palauans remain vigilant against potential fraud and/or phishing emails that may attempt to use this incident as a means of getting you to release personal information.” 

The country’s government was targeted during another ransomware incident in April 2024 by actors claiming to be part of several different cybercriminal groups, leading officials and experts to theorize that the attack was cover for an attempted disruption by Chinese government hackers. 

After emerging in late 2022, the Qilin ransomware gang has been responsible for multiple healthcare-related attacks, including a major incident last year that disrupted NHS hospitals in London and potentially exposed the information of a million people.

On Monday, the group took credit for a ransomware attack on Utsunomiya Central Clinic, a prominent cancer hospital in Japan. The clinic reported a ransomware incident two weeks ago that forced it to limit its medical examination and checkup services. 

The hospital said the information of up to 300,000 people was stolen by the gang, including both patients and employees. 

In addition to its attacks targeting healthcare institutions, Qilin hackers have in recent weeks targeted a local government in the U.S. and a large company managing dozens of local newspapers across the U.S.