Topics
More on Compliance & Legal

Ukrainian man pleads guilty to 2020 UVM cyberattack

UVM lost $30 million in the attack and experienced disruptions to care services that lasted more than two weeks.

Jeff Lagasse, Editor

Photo: Andrew Brookes/Getty Images

In 2020, during the height of the COVID-19 pandemic, a ransomware attack disrupted patient care at the University of Vermont Medical Center (UVM) Health Network in Burlington, Vermont, costing the health system millions. Four years later, a Ukrainian national has pleaded guilty to spearheading the attack.

Vyacheslav Igorevich Penchukov was the leader of two prolific malware groups at the time, according to the Department of Justice. Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division said these groups stole millions from their victims, while the attack on UVM left the system unable to tend to critical care patients for more than two weeks.

"Before his arrest and extradition to the United States, the defendant was a fugitive on the FBI's most wanted list for nearly a decade," said Argentieri.

WHAT'S THE IMPACT?

Penchukov, also known as Vyacheslav Igoravich Andreev and Tank, 37, of Donetsk, Ukraine, pleaded guilty to two separate incidents. According to the DOJ, he helped lead a wide-ranging racketeering enterprise and conspiracy that infected thousands of business computers with malicious software known as "Zeus" beginning in May 2009. After installing Zeus without authorization on victims' computers, the enterprise then used the malicious software to capture bank account information, passwords, personal identification numbers and similar information necessary to log into online banking accounts.

Penchukov and his coconspirators then falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims' bank accounts, causing the banks to make unauthorized transfers of funds from the victims' accounts – resulting in millions of dollars in losses to the victims, according to the DOJ.

The enterprise allegedly used residents of the U.S. and elsewhere as "money mules" to receive wired funds from victims' bank accounts into their own bank accounts. They then withdrew and wired funds overseas to accounts controlled by Penchukov's coconspirators.

Despite being subsequently added to the FBI's Cyber Most Wanted List, the DOJ said Penchukov returned to criminal activity by helping lead a conspiracy that infected computers with IcedID or Bokbot, a new malware, from at least November 2018 through February 2021.

IcedID was a sophisticated form of malicious software that collected and transmitted personal information from victims, including credentials for banking accounts. Penchukov used this information to steal from IcedID's victims, and IcedID also provided access to infected computers for other forms of malicious software, including ransomware.

UVM was one such victim of this attack, causing the loss of more than $30 million, and left the medical center unable to provide many critical patient services for over two weeks, creating a risk of death or serious bodily injury to patients. Penchukov was charged with these offenses in the Eastern District of North Carolina.

Penchukov was arrested in Switzerland in 2022 and extradited to the United States in 2023.

He pleaded guilty to one count of conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act offense for his leadership role in the Zeus enterprise, and also pleaded guilty to one count of conspiracy to commit wire fraud for his leadership role in the IcedID malware group. He is scheduled to be sentenced on May 9 and faces a maximum penalty of 20 years in prison for each count. A federal judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

THE LARGER TREND

Patient care is under threat from cyberattacks, particularly supply chain and business email compromise (BEC) attacks, as more and more healthcare organizations grapple with the cost and headaches associated with them, a 2023 report found.

The report found that 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyberattack was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain and BEC – an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates.

More than three quarters (78%) of respondents to an August 2023 Claroty survey experienced a minimum of one cybersecurity incident over the last year, which impacted a broad range of asset types, including IT systems, sensitive data, medical devices and building management systems.

Alarmingly, more than 60% of respondents reported a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health or safety. The financial ramifications mainly fell in the $100,000–$1,000,000 range, with 26% paying ransoms.
 

Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.