BCNYS data breach exposes medical information of over 47,000 members

A cyberattack targeting the Business Council of New York State went undetected for nearly six months, affecting tens of thousands of individuals.

What happened

The Business Council of New York State (BCNYS), a nonprofit organization representing over 3,000 business members across the state, disclosed a data breach that affected 47,329 individuals. According to a filing with the Maine Attorney General’s Office, an unauthorized party accessed a portion of BCNYS’s internal systems between February 24 and February 25, 2025. The breach was not discovered until August 4. Once detected, BCNYS took steps to contain the incident and launched an investigation with the help of external cybersecurity professionals.

Going deeper

The investigation confirmed that the attacker exfiltrated a wide range of sensitive data, including personal, financial, and medical information. The exposed data includes:

• Full names, dates of birth, and Social Security numbers
• State-issued IDs, taxpayer IDs, and electronic signatures
• Bank account and routing numbers
• Payment card details, including PINs and expiration dates
• Medical information, such as diagnoses, treatments, prescriptions, and health insurance data

Although no misuse of the information has been reported to date, BCNYS has offered free credit monitoring services to those whose Social Security numbers were compromised. Affected individuals are also advised to monitor their financial accounts and credit reports for signs of fraud.

What was said

In a notification letter sent to impacted members, BCNYS stated that it acted immediately to secure its systems and determine the scope of the breach. It also mentioned that there have been no confirmed cases of identity theft resulting from the incident, but encouraged ongoing vigilance.

FAQs

Why did it take six months to detect the breach?

Delayed detection is often the result of gaps in continuous monitoring, lack of behavioral threat detection tools, or limited logging infrastructure—issues that can affect even well-established organizations.

What steps should affected individuals take now?

In addition to using the offered credit monitoring, individuals should freeze their credit reports, use two-factor authentication on financial accounts, and report any suspicious activity to the FTC or relevant financial institutions.

Can medical data like diagnoses and treatment history be used in fraud?

Yes. Medical identity theft can result in fraudulent insurance claims or unauthorized access to healthcare services in the victim’s name, potentially complicating future care and billing.