The BianLian ransomware group has claimed the cyberattack on Boston Kids’s Well being Physicians (BCHP) and threatens to leak stolen information until a ransom is paid.
BHCP is a community of over 300 pediatric physicians and specialists working over 60 areas throughout New York’s Hudson Valley and Connecticut, providing affected person care in clinics, neighborhood hospitals, and well being facilities affiliated with Boston Kids’s Hospital.
In accordance with the announcement BHCP printed on its web site, a cyberattack compromised its IT vendor on September 6 and some days later BHCP detected unauthorized exercise on its community.
“On September 6, 2024, our IT vendor informed us that it identified unusual activity in its systems. On September 10, 2024, we detected unauthorized activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure.” – BHCP
The investigation that adopted, carried out with the assistance of a third-party forensic professional, confirmed that the risk actors had gained unauthorized entry to BHCP methods and likewise exfiltrated information.
The publicity impacts present and former staff, sufferers, and guarantors. The uncovered knowledge contains the next, relying on the knowledge clients offered to BHCP:
- Full names
- Social Safety numbers
- Addresses
- Dates of beginning
- Driver’s license numbers
- Medical report numbers
- Medical insurance data
- Billing data
- Therapy data (restricted)
BHCP clarifies that the cyberattack didn’t impression its digital medical report methods, as they’re hosted on a separate community.
People confirmed to have been affected by the incident will obtain a letter from BHCP by October 25. Those that had their SSN and driver’s license uncovered will even obtain credit score monitoring and safety providers.
BianLian claims the assault
Earlier this week, the BianLian ransomware group claimed the assault by ading BHCP to their extortion portal.
The risk actors declare to have finance and HR knowledge, e-mail correspondence, database dumps, personally identifiable and well being data, medical health insurance data, and knowledge associated to youngsters.
The risk actors haven’t leaked something but, and there’s no deadline for exposing the stolen data, indicating that they nonetheless count on to barter with BHCP.
Attacking youngsters healthcare organizations and stealing the information of minors is often averted by ransomware teams, or no less than they declare so, however some risk actors lack the ethical tips to attract the road at that.
Earlier this 12 months, the Rhysida ransomware group demanded a ransom cost of $3.6 million from Lurie Kids’s Hospital in Chicago after stealing 600GB of delicate knowledge from its methods and inflicting operational disruptions that led to delays in medical care.