Multi-specialty pediatric group Boston Children’s Health Physicians (BCHP) based in Valhalla, NY provides services to newborns and children in New York and Connecticut. BCHP has reported that its IT vendor encountered a cyberattack. The IT vendor informed BCHP on September 6, 2024, that strange activity was noticed in the IT vendor’s network. On September 10, 2024, BCHP discovered unauthorized activity inside its own system and promptly enforced its incident response procedures, closing down systems to control the breach. With the assistance of a third-party digital forensics company, BCHP discovered that on September 10, 2024 that an unauthorized third party acquired access to selected areas of its system and extracted files that contained data associated with present and past workers, guarantors, and patients.
The substitute breach notice published by BCHP on its website confirmed that the data in the stolen files might have contained names, dates of birth, Social Security numbers, addresses, driver’s license numbers, health record numbers, medical insurance details, billing data, and limited treatment details. The attack did not impact the electronic medical record system. BCHP sent individual notification letters to the impacted persons on October 4, 2024, more or less a month after detecting the attack. The data breach is not yet posted on the HHS’ Office for Civil Rights breach portal, hence the number of affected individuals is currently uncertain. BCHP stated it has applied extra safety measures to avoid the occurrence of the same incidents later and has enhanced tracking unauthorized access to its systems.
People whose driver’s license numbers and/or Social Security numbers were exposed in the incident were provided free credit monitoring services. Any person getting a notification letter must register for those services without delay to safeguard themselves against improper use of their data and must keep track of the statements sent by their health insurance providers. Any service appearing on the statement that was not received must be reported.
BCHP didn’t give additional information regarding the attack including the threat actor involved; nevertheless, the BianLian threat group professed to have been behind the cyberattack and has listed BCHP on its dark web data leak site. The BianLian threat group has been in operation since June 2022 targeting critical infrastructure organizations, which include healthcare companies. The group uses double extortion tactics, exfiltrating sensitive data first then encrypting files, though the group has mostly turned to extortion-only attacks, passing up file encryption. The group demands ransom payment to stop listing the stolen data on its data leak site. Based on Guidepoint Security, BianLian is among the top three threat groups attacking the healthcare industry this 2024. The listing on the dark web data leak site states the information stolen in the attack contained financial data, HR information, database exports, external and internal email communications, medical insurance data, and the protected health information (PHI) of minors.
The HHS’ Office for Civil Rights (OCR) released a video presentation on October 18, 2024 about ransomware deterrence and mentioned that data breaches related to ransomware increased by 102% from 2019 to 2023. The video offers more details on the resources accessible to HIPAA-covered entities to help them enhance their protection. OCR’s senior advisor for cybersecurity, Nicholas Heesters, stated that OCR’s investigations of data breaches related to ransomware attacks on HIPAA-covered entities have revealed noncompliance with some terms of the HIPAA Law. If those covered entities were HIPAA compliant, data breaches could have been avoided.