Fraud Management & Cybercrime , Healthcare , Industry Specific

BianLian Ransomware Gang Claims Heist of Pediatric Data

Boston Children's Health Physicians Says Incident Involved Unnamed IT Vendor
BianLian Ransomware Gang Claims Heist of Pediatric Data
Boston Children's Health Physicians website contains a notice about its recent cyber incident. (Image: BCHP)

Ransomware gang BianLian has listed Boston Children's Health Physicians - a pediatric group that practices in New York and Connecticut - on its dark web site, threatening to release stolen patient and employee data. The practice said the September incident involved an IT vendor.

See Also: Effective Communication Is Key to Successful Cybersecurity

In a notice posted on its website, Valhalla, N.Y.-based BCHP said that on Sept. 6, an unnamed IT vendor informed the pediatric practice that it identified unusual activity in its systems.

"On Sept. 10, 2024, we detected unauthorized activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure," the practice said.

BCHP's investigation into the incident determined that an "unauthorized third party" gained access to the practice's network on Sept. 10, taking certain files from its network.

Ransomware group BianLian as of Friday had Boston Children’s Health Physicians listed on its dark web site, claiming to have the practice’s data, including finance data, HR data, mailboxes and internal and external email correspondences, database exports, protected health information and personally identifiable records, health insurance records and minors’ data.

For its part, BCHP in its notice said the files compromised in the incident include current and former employee, patient and guarantor information. That includes names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and/or limited treatment information.

BCHP said its electronic medical record systems are on a separate network and were not affected by the incident.

BCHP Statement

In a statement provided to Information Security Media Group, BCHP said the impact of the vendor incident was not limited to just BCHP, and that "several" of that company's customers were also affected.

"Upon learning of this, we moved quickly to isolate and contain the incident, engaged best-in-class cybersecurity experts, and notified law enforcement. We have also implemented additional technology security protocols to protect our systems," BCHP said.

"We have begun the process of notifying impacted individuals and will be providing resources to those affected by the cybersecurity incident."

The practice added that it "invests heavily" in its networks and that it has implemented additional technology security protocols to protect its systems in the aftermath of the incident.

BCHP did not immediately respond to ISMG's request for comment on BianLian's claims, and for additional details about the incident, including the number of individuals affected and the identity of the IT vendor involved.

The pediatric practice includes more than 300 clinicians throughout 60 offices in New York’s metropolitan area, the Hudson Valley and Connecticut. BCHP, which is part of the Boston Children's Hospital care network headquartered in Boston, is also affiliated locally in New York with Maria Fareri Children’s Hospital of Westchester Medical Center.

'Formidable Threats'

As of Friday, the BCHP incident was not posted to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

The BCHP breach "highlights the most formidable threat and vulnerability in the health privacy landscape," said regulatory attorney Paul Hales of the Hales Law Group.

"The threat of criminal ransomware attacks has grown exponentially. Equally alarming is the increased sophistication of the malicious software and the criminal schemes," he said. "Both raise the potential for victim harm."

Furthermore, attacks on third-party business associates "are prime criminal targets" because one successful attack can open doors to all the vendor's customers, he added.

In new guidance about ransomware and the HIPAA security rule released on Friday, HHS' Office for Civil Rights said the agency has seen a 102% increase in the number of major ransomware breaches reported from 2019 to 2023.

"Cyberattacks, including ransomware, continue to be the greatest cybersecurity threat facing the healthcare industry and the PHI it holds," said Nicholas Heesters, senior advisor for cybersecurity at HHS OCR in the video.

"OCR has investigated numerous regulated entities arising from reports of breaches of unsecured PHI because of ransomware and members of the public filing complaints related to ransomware attacks," Heesters said.

"Often, these investigations uncover non-compliance with provisions of the HIPAA Rules that could have, if properly implemented, prevented a ransomware attack or at least lessened the severity of the impact of such an attack," Heesters said.

The HIPAA Security Rule "is a blueprint to prevent ransomware attacks," said attorney Hales. Nonetheless, "a covered entity with a robust HIPAA compliance program is still vulnerable when its business associate succumbs to a ransomware attack," he added.

As of Friday, BianLian listed Boston Children's Health Physicians as a recent victim on the ransomware gang's dark web site.

As for BianLian, the gang was among the top three ransomware groups targeting the healthcare industry by victim volume during the first nine months of 2024, said Grayson North, senior security consultant at GuidePoint Security, which Thursday released a threat intelligence report on ransomware trends in the third-quarter of 2024.

LockBit and RansomHub were the other top three hitting healthcare so far this year, he said (see: 3 Longtime Health Centers Report Hacks Affecting 740,000).

Other BianLian victims this year include Tennessee-based Murfreesboro Medical Clinic & SurgiCenter. An April attack by the gang disrupted MMC's healthcare services for several days and resulted in data theft breach affecting 559,000 individuals (see: Tennessee Clinic: April 'BianLian' Attack Affected 559,000).

But, of course, other ransomware groups have also hit healthcare entities, including pediatric healthcare providers so far in 2024.

That includes a January attack by ransomware-as-a-service group Rhysida on Chicago's Ann & Robert H. Lurie Children's Hospital, which disrupted the medical center's systems, including electronic health records, for weeks and resulted in a breach affecting nearly 800,000 people (see: Children's Hospital Notifies 800,000 of Data Theft in Attack).

"Ransomware-as-a-service criminals have decided in the past year to no longer adhere to a practice of avoiding targeted enterprises that perform life-saving services, like hospitals," said Jim Routh, chief trust officer at security firm Saviynt.

"Health providers, like Boston Children's Health Physicians, have a mission and primary focus to offer high-quality healthcare to those in need, in this case, children. Disrupting their services impacts quality of life for those patients in care and can easily lead to mortality for critical patients."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.