The New York and Connecticut Hospital recently confirmed it had been the victim of a large cyberattack.
The Company
Boston Children’s Health Physicians is a large hospital center serving the states of New York and Connecticut.
The system has over 60 locations, 20 specialties, and 300 clinicians, providing care to thousands of children and expecting parents. They are also affiliated with a local children’s hospital, the Maria Fareri Children’s Hospital/Westchester Medical System. As part of the Boston Children’s Hospital network of care, they are ranked one of the best hospitals in the world.
The Breach
According to Boston Children’s Health Physician’s (BCHP) Cybersecurity announcement, the organization was told their IT vendor had detected unusual activity on September 6th, 2024.
Soon after, on September 10th, 2024, BCHP similarly detected unauthorized activity on limited parts of its network. Their IT team immediately initiated an incident response protocol, which included shutting down the system.
The team conducted an investigation with the assistance of a third-party forensic firm, which determined that an unauthorized third party had accessed the network and taken certain files.
The files included data from current and former employees, patients, and guarantors. Information varied, but may have included:
- Names
- Social Security numbers
- Addresses
- Dates of birth
- Driver’s license numbers
- Medical record numbers
- Health insurance information
- Billing information
- Limited treatment information
Notably, BCHP’s electronic medical record systems are on a separate network and were not impacted.
It’s currently unclear how many individuals were impacted, but considering the breach impacted employees and patients, the number could be fairly high. BCHP began mailing letters to individuals whose information was involved.
In response, BCHP has also established a call center to answer questions. The organization said, “To help prevent something like this from happening again, we have implemented additional safeguards to further protect and monitor our systems.”
The organization is recommending those whose Social Security numbers or driver’s license numbers were involved take advantage of complimentary credit monitoring and protection services.
The Attackers
According to The Record, the attack was claimed by the ransomware organization BianLian. BianLian claims to have additional data, including financial information, HR information, database exports, and the data listed by BCHP cybersecurity notice.
The malicious group has gained attention from the FBI for past attacks. On May 16th, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory against the organization. According to their notice, the group became active on or around June 2022 and has targeted the US and Australia. The group tends to target small and medium-sized businesses through malware and Remote Desktop Protocol credentials.
In 2023, BianLian notably took credit for an attack against the global charity organization Save The Children. In this attack, BianLian demanded a ransom, but so far, there is no reason to believe the organization has demanded a ransom from BCHP.
According to Paul Bischoff, a cybersecurity expert at Comparitech, BianLian has claimed at least 60 cyberattacks in 2024. “These attacks affected nearly 2 million records in total, and included some of the biggest breaches in the US healthcare sector,” Bischoff said.
A Growing Trend
Unfortunately, attacks against healthcare organizations are growing increasingly common. Other Boston Children’s hospitals have been targeted before. In 2021, an attack from an Iranian government-sponsored hacking group was stopped in its tracks. At the time, an intelligence agency was alerted about plans for the attack. The hospital was quickly alerted and able to safeguard their network.
In 2014, the hospital also experienced a sustained attack from the hactivist group Anonymous. The man responsible for this attack, Martin Gottesfeld, was ultimately sentenced to 10 years in prison.
While Boston Children’s has experienced their share of attacks, they are far from alone. According to a report from Microsoft, 389 US-based healthcare institutions have been hit with ransomware attacks between July 2023 and June 2024. North Korea, Russia, and Iran were frequent places of origin. Many of these attacks appear to be the result of social engineering tactics, including email, SMS, and voice phishing.
What’s Next
For BCHP, their next steps will likely be alerting the Department of Health and Human Services (if the breach impacted more than 500 individuals) and any Attorney Generals, such as Maine’s, that mandate it.
After that, there are numerous potential results. BCHP may decide to ramp up their cybersecurity measures. As data breaches increase and grow in sophistication, many healthcare organizations are finding their current preventation strategies insufficient. Conversely, the Department of Health and Human Services frequently investigates data breaches to determine if victimized organizations could have prevented the incident. If so, organization’s may become the subject of legal penalties.
Many individual’s are striking back as well. With skyrocketing breaches, victims are increasingly facing spam calls, risks of cedit fraud, and identity theft. As a result, class action suits are soaring. It’s likely that firms will begin investigating the incident at BCHP and gathering facts for a case. The majority of cases settle, but can still be costly for healthcare organizations to resolve.
How Cloudticity Can Help
As data breaches continue to impact patients in the millions, it’s clear that healthcare organizations need a new strategy to protect themselves.
Despite the looming threat, a shortage of cybersecurity experts means many organizations are ill-prepared for threats, using old software or procedures unfit for today’s challenges.
As a HITRUST certified organization with over 10 years as a leader in managed security for healthcare, we’ve never suffered a data breach. Despite an ever-evolving threat landscape with sophisticated and persistant actors, we’ve kept every single organization we work with secure.
Using a proven security tech stack with the best experts, we keep data safe and ensure vulnerabilities are promptly resolved.
Attacks and their associated costs are rising from legal fees, system upgrade costs, and penalties. Cloudticity helps organizations focus their resources on serving patients instead of security concerns.
If you want to learn more about how we can help protect your organization from network attacks, reach out for a free consultation today.