Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Mediclinic hit by Everest ransomware group

The Everest ransomware group has attacked Mediclinic, exposing critical data and disrupting healthcare services across multiple countries.

27-05-2025 - 7 minute read. Posted in: cybercrime.

Mediclinic hit by Everest ransomware group

Hackers demand payment from $5B hospital group amid ransomware attack

The Mediclinic Group, a global private healthcare provider valued at approximately $5 billion, has fallen victim to a ransomware attack that disrupted operations across multiple facilities in several countries, including Switzerland, South Africa, and the United Arab Emirates. The attack was claimed by the Everest ransomware group, a threat group responsible for the breached Mediclinic Group. Multiple physical healthcare facilities were impacted by this incident. Mediclinic became the latest victim in a series of high-profile incidents within the sector. On May 24, 2024, the date of the public confirmation, the company publicly confirmed the breach, while Everest published a post with proof-of-breach files on its dark web leak site to pressure Mediclinic into paying a ransom.

Everest ransomware group exposed

Everest is a relatively lesser-known but increasingly active threat actor that operates using a ransomware-as-a-service (RaaS) model. This structure enables affiliates to carry out attacks using Everest’s malware toolkit, sharing profits with the developers. If you're unfamiliar with this business model, you can read more about how ransomware-as-a-service works here.

What distinguishes Everest is its emphasis on data exfiltration before encryption. The group is reportedly known for stealing sensitive information, including internal company data, before encrypting files. In many cases, the group threatens to leak stolen files on its dark web site if ransom demands are not met. This approach, known as double extortion, has become a defining feature of modern ransomware operations. Rather than focusing solely on encryption, Everest often maintains access to compromised networks using stolen credentials and remote desktop vulnerabilities before deploying ransomware. The information targeted may include internal documentation, patient records, employee data, and internal company data.

According to cybersecurity researchers, Everest has previously targeted municipalities, schools, and healthcare providers. The group has been linked to phishing campaigns, social engineering, and the use of remote access tools to establish initial footholds. While not as prolific as groups like LockBit or Conti, Everest is considered stealthy and technically capable.

Mediclinic Group services disrupted

Mediclinic, which serves hundreds of thousands of patients annually, confirmed that it had detected a cyberattack and was taking immediate steps to respond. The company described the incident as a major security event and launched an investigation to determine the scope and nature of the breach. Mediclinic is working with cybersecurity experts and legal advisors and has notified relevant regulatory authorities as part of its compliance obligations. As part of the investigation, compromised device security and log activity are being analysed for signs of unauthorised access. A timely breach report to regulatory bodies is essential to ensure compliance and minimize further risks.

Although core clinical services reportedly remain operational, patient-facing platforms and internal communication systems were temporarily disrupted. The company has not disclosed whether it plans to negotiate with the attackers or pay the ransom. Meanwhile, Everest has posted what appear to be internal documents and confidential records to support its ransom demands.

Patient information and privacy at risk

The alleged breach has raised serious concerns about the safety of patient, employee, and customer information. Everest claims the stolen data includes personal details and contact information for up to 1,000 employees, as well as records that may contain sensitive patient identifiers. The following types of data may have been compromised: names, contact details, medical records, and other personal identifiers. The information stored in Mediclinic’s systems, including internal systems and various data collections, is particularly vulnerable during such breaches. If accessed by unauthorised actors, such information can be exploited for identity theft, fraud, or further attacks. To understand the risks more clearly, including how attackers misuse stolen data, read our guide on identity theft and how to deal with it.

This exposure highlights the urgent need for robust security controls within Mediclinic’s infrastructure. It is crucial that the company act quickly to notify affected individuals, including customers, patients, and employees, about the breach and the specific risks involved. Transparent communication and timely support will be key in mitigating the potential impact and limiting downstream harm. Personal data must be treated with care and in accordance with legal requirements, and the incident is being treated as a serious security concern. Mediclinic must comply with all relevant data protection laws and regulations.

This incident serves as a stark reminder that protecting personal health information is not only a regulatory requirement but a matter of patient trust and safety. Organizations must treat all personal data responsibly throughout its processing, transfer, and storage.

Financial implications of the attack

The financial fallout from the attack could be substantial, both in the short and long term. Costs may include notification and support for affected individuals, credit monitoring services, and investments in improved cybersecurity. In addition, the company may face regulatory fines if found non-compliant with data protection laws.

Mediclinic also faces the risk of reputational damage. Trust is essential in the healthcare sector, and public perception of data security can directly influence patient retention and future growth. To restore confidence, Mediclinic will need to demonstrate strong leadership, clear communication, and a firm commitment to long-term security improvements. Businesses in the healthcare sector must prioritize data security and ensure that established security protocols and practices are in place before any incident occurs. Having established measures helps prevent breaches and enables a more effective response if an incident happens.

A pattern of targeting healthcare

The attack on Mediclinic is part of a broader trend. Healthcare organisations continue to be prime targets for ransomware groups due to the critical nature of their services and the high value of medical data. These ransomware events have impacted providers such as HCA Healthcare and Change Healthcare in recent years. Healthcare organisations must be prepared to deal with data breaches and security incidents by having procedures in place to manage suspected breaches, notify authorities, and take immediate actions to protect personal data.

Hospitals and clinics often operate complex IT environments with legacy systems that are difficult to secure. This creates an attractive attack surface for threat actors. Once inside, attackers can move laterally through systems to reach backups, databases, and sensitive infrastructure.

Ransomware groups understand that any delay in restoring access can affect patient care, increasing the pressure on victims to pay.

Strengthening defences against ransomware

Healthcare providers must prioritise cybersecurity to protect personal data and maintain operational integrity. Recommendations include the implementation of robust security measures such as network segmentation, strong authentication protocols, regular data backups, and comprehensive staff training. Having a well-tested incident response plan is also essential for limiting damage when attacks occur. Additionally, organisations should consult with cybersecurity experts or Data Protection Officers when responding to incidents to ensure effective and compliant actions.

In the event of a breach, sensitive information such as names, contact details, birth dates, and medical identifiers may be at risk. Healthcare organisations must be transparent about how this data is collected, used, and safeguarded to build and maintain public trust. A clear description of data handling practices, including privacy policies and technical safeguards, should be provided to inform users about how their information is managed and protected.

Cybersecurity is no longer just a technical matter. For healthcare organisations like Mediclinic, it is a critical component of patient care, reputation management, and regulatory compliance.

Conclusion

The ransomware attack on Mediclinic by the Everest group highlights the growing threat to critical infrastructure. As cybercriminals evolve their tactics and exploit weak points in essential services, organisations must act decisively to protect their systems and stakeholders. For the healthcare sector, the cost of inaction is measured not only in financial loss but in patient safety and public trust.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

TikTok: Safe or not?
cybercrime

TikTok: Safe or not?

TikTok is a social media that has grown at lightning speed and remains extremely popular with users of all ages. But how safe is the app?

23-03-2023 · 10 min.
How to protect your game accounts from hacking
cybercrime

How to protect your game accounts from hacking

More and more people spend their free time playing games. But with this increase comes more interest in gaming from hackers.

08-08-2022 · 8 min.
What are passkeys and how do they work?
awareness

What are passkeys and how do they work?

Passkeys is the password's little brother, which is even easier and safer to use when accessing different websites and applications.

25-11-2022 · 9 min.