Vanderbilt University Medical Center investigating cybersecurity incident

Vanderbilt University Medical Center said it is investigating a cybersecurity incident that led to the compromise of a database.

VUMC runs seven hospitals and multiple healthcare facilities across Nashville, Tennessee — serving more than three million patients each year. The organization is one of the largest employers in the state with 40,000 employees and has more than 1,7000 beds across its hospitals.

On Thanksgiving, the hospital system was added to the leak site of the Meow ransomware gang – a relatively new operation that researchers are still examining.

A spokesperson for VUMC confirmed that they were dealing with a cyber incident but would not say when it occurred, if it was ransomware, or what kind of effects they were seeing due to the attack.

“Vanderbilt University Medical Center (VUMC) identified and contained a cybersecurity incident in which a database was compromised and has launched an investigation into the incident,” they said.

“Preliminary results from the investigation indicate that the compromised database did not contain personal or protected information about patients or employees.”

VUMC was one of several organizations added to Meow’s leak site on Thursday. In March, researchers at cybersecurity firm Kaspersky released a decryptor for the Meow ransomware, which is based on a version of the leaked code from the Conti ransomware.

Conti’s source code was publicly exposed in March 2022 after a disgruntled affiliate took issue with the group’s support of Russia’s invasion of Ukraine.

At its peak, Conti was one of the most prolific ransomware groups operating, attacking dozens of high profile targets including the government of Costa Rica before shutting down in May 2022.

Kaspersky noted that after the Conti source code was leaked, several different variants were created by various criminal gangs.

A ransomware researcher told BleepingComputer earlier this year that members of the Meow ransomware group posted in a Russian cybercriminal forum that they were “ceasing” their activities and provided a link to all of the private keys and decryptors. Most of the group’s initial attacks targeted Russian organizations, the outlet reported.

It is unclear whether this current campaign is tied to the previous Meow ransomware attacks.

Recorded Future ransomware expert Allan Liska said the actors behind this latest Meow campaign may not have actually used ransomware in their attack on the latest victims added to their leak site.

"There don’t appear to be any recent sample cryptors, so it might be an extortion only group, which is a lot easier to launch and would not have required breaking into all those targets," he said.