Boston Children’s Health Physicians (BCHP) fell victim to a ransomware attack involving an IT vendor. The attacker, the BianLian group, is now threatening to release sensitive patient and employee data.
On September 6, Boston Children’s Health Physicians (BCHP), a pediatric practice with offices in New York and Connecticut, was informed by an IT vendor about unusual activity in its systems. Four days later, the pediatric group detected unauthorized access to parts of its network, which led to the theft of certain files. The compromised data includes current and former employee records, patient information, guarantor details, and sensitive personal information such as names, Social Security numbers, driver’s licenses, and billing information.
In its most recent posting, BianLian claims to hold a trove of data from BCHP’s network, including HR files, emails, database exports, health insurance information, and minors’ health records. As of Friday, the incident had not yet appeared on the U.S. Department of Health and Human Services’ (HHS) HIPAA Breach Reporting Tool website, which lists breaches affecting 500 or more individuals.
BCHP’s electronic medical record systems, however, were not compromised as they operate on a separate network. The practice has initiated a thorough investigation and taken cybersecurity measures to mitigate further damage.
See also: HIPAA Compliant Email: The Definitive Guide
In their breach notice, BCHP acknowledged the breach: “On Sept. 10, 2024, we detected unauthorized activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure.” The practice also emphasized its swift response: “We moved quickly to isolate and contain the incident, engaged best-in-class cybersecurity experts, and notified law enforcement. We have also implemented additional technology security protocols to protect our systems.”
Paul Hales, a regulatory attorney from the Hales Law Group, told BankInfo Security that the BCHP breach “highlights the most formidable threat and vulnerability in the health privacy landscape.” He added, “The threat of criminal ransomware attacks has grown exponentially, with increased sophistication in malicious software and schemes.”
BCHP further stated: “We have begun the process of notifying impacted individuals and will be providing resources to those affected by the cybersecurity incident.”
Related: What are the HIPAA breach notification requirements
Ransomware attacks on healthcare institutions have surged in recent years, placing patient safety and privacy at risk. According to HHS ransomware guidance, healthcare-related ransomware attacks have increased by 102% from 2019 to 2023.
Cybercriminal groups like BianLian have increasingly targeted third-party vendors to exploit weaknesses in supply chains, gaining access to multiple clients from a single breach.
The sensitivity of the stolen data, which includes minors’ health records, puts vulnerable individuals at heightened risk of identity theft and medical fraud. According to recent guidance from the HHS Office for Civil Rights, ransomware attacks on healthcare organizations have more than doubled between 2019 and 2023, emphasizing the severity of this ongoing threat.
Nicholas Heesters, a senior cybersecurity advisor at HHS, stated, “Cyberattacks, including ransomware, continue to be the greatest cybersecurity threat facing the healthcare industry and the PHI it holds.”
Read also: What is a supply chain attack and how can it be prevented?
In other news: Another top US healthcare service provider hacked
Attackers often exploit vulnerabilities in a vendor’s security system to gain access to the vendor’s clients. Once inside, they can infiltrate the client’s network, infecting systems with ransomware and compromising sensitive data.
Third-party vendors often serve multiple clients, making them a valuable target. If attackers successfully breach one vendor, they may gain access to sensitive data across various organizations, amplifying the impact of a single attack.
Organizations can enhance security by conducting thorough risk assessments, using multi-layered security protocols, and maintaining stringent access controls. Regular vendor audits, data encryption, and employee training on cyber hygiene are also key protective measures.