Black Basta hits Synlab: analysis of the attack and cybersecurity lessons for the healthcare sector

The hacker group known as Black Basta posted, via the dark web, the health data stolen on April 18 from the Italian division of Synlab, one of the largest private healthcare companies in Europe. Synlab, with a widespread presence of 380 laboratories distributed across eight Italian regions, carries out approximately 35 million tests annually, including blood draws and prenatal tests. After the theft, the company said it did not want to give in to blackmail, causing the data to be published on the dark web. The seriousness of the attack lies in the vulnerability demonstrated even by large healthcare facilities and in the concrete consequences for patients, whose reports and personal information, such as diagnoses and treatments, are now accessible to attackers. The total data published amounts to 1.5 terabytes.

Attack techniques and ransomware used

Black Basta's modus operandi includes using ransomware to encrypt their victims' data, making it inaccessible until a ransom is paid. One of the main distribution techniques for this malware is phishing, i.e. sending deceptive emails that push recipients to click on malicious links, thus starting the installation of the ransomware. It has not yet been clarified how Black Basta managed to introduce the ransomware into Synlab's computer systems. However, the use of this methodology denotes a strategic and well-orchestrated approach to target vulnerable sectors such as healthcare.

Impact on the entire Italian healthcare sector

According to data from Clusit, the Italian association for cybersecurity, in 2023 cyber attacks in Italy increased by 65% compared to the previous year, with 310 incidents recorded. The healthcare sector has been particularly targeted, due to the relevance and sensitivity of the data processed. Healthcare facilities such as hospitals and diagnostic laboratories are particularly vulnerable as disruption to services can have serious and immediate public health consequences. The increasing frequency and sophistication of these attacks pose an ongoing challenge to healthcare cybersecurity.

Responses and measures taken by Synlab

In an official communication released on May 13, Synlab acknowledged the disclosure of the stolen personal data and said it would inform all those involved. The company reiterated its decision not to negotiate or pay the ransom demanded by the cybercriminals. According to Italian regulations, companies must notify these incidents both to the Guarantor for the protection of personal data and, in the case of critical infrastructures, to the National Cybersecurity Agency. Synlab is also warning that anyone who makes illegal use of the disclosed data could face criminal prosecution. Security experts advise patients who have used Synlab's services in recent years to contact the company via certified mail to verify whether their data has been compromised, pending further communication from the company.