krisanapong detraphiphat/Getty Images

Hackers have hit a major nursing home chain, potentially exposing a significant amount of patient and staff data in a brazen extortion attempt.

Consulate Healthcare confirmed to McKnight’s Long-Term Care News Thursday that the cybercriminal syndicate Hive attacked “a limited portion of our systems” and demanded payment to release it. Consulate refused to bend the knee.

“They will not be rewarded for their actions,” the company said in a statement. “We have been able to fully recover our systems without capitulating to extortion demands.”

Consulate is still trying to determine the extent of the incident and what data was breached, but patient care was not impacted, according to its statement.

Ransomware and other cyberattacks against healthcare companies have been rising. The US Department of Health and Human Services Cybersecurity Program issued an alert in April 2022 warning of “exceptionally aggressive” attacks from Hive. In November, the Cybersecurity and Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security, issued its own notice about Hive, noting that the group has hit more than 1,300 companies worldwide, obtaining approximately $100 million in ransom payments. 

Colin Zick, an attorney specializing in cybersecurity and data privacy, said nursing homes are particularly vulnerable to a cyberattack since they likely don’t have the IT infrastructure to protect themselves. 

“Their defenses are less robust than a big teaching hospital in a major metropolitan area,” Zick said. “The whole system is fragile, but you throw this in the mix, and you’re going to have nursing homes closing.”

Consulate posted a “security incident notice” on its website, saying that a vendor “suffered a security incident … where cybercriminals target portions of their network.” The company said it was posting the notice out “an abundance of caution” as it continued to work with the vendor.

Consulate’s statement seems to be at odds with claims made by the hacker group through a website called, which has been cited by numerous media reports. The website published a report on Jan. 6 with Stage Left Hive’s spokesman claiming that it attacked Consulate itself, not a vendor.

The report alleges Hive used the cyberattack to acquire “contracts, nda and other agreements documents – company private info (budgets, plans, evaluations, revenue cycle, investors relation, company structure, etc.) – employees (sic) info (social security numbers, emails, addresses, phone numbers, photos, insurances info, payments, etc.) – customers info (medical records, credit cards, emails, social security numbers, phone numbers, insurances, etc.”

The report also claims that Hive will be leaking the information after [Consulate] ended negotiations and that a “representative [of the company] indicated that they could not afford even the reduced amount demanded because their insurance would not cover any ransom payment.”

Zick said that it’s common for cybersecurity insurance not to cover ransom payments. The product will cover the incident response for forensic experts, lawyers and even communications counsel. 

“The ransom is usually an amount that pains you to pay, but you’re able to do it,” Zick said.