BianLian cyberattack hits Boston Children's Health Physicians

Boston Children's Health Physicians notified patients of a cyberattack and data breach stemming from its IT vendor. The multi-specialty group, which employs more than 300 clinicians and provides care to newborns and children in Connecticut and New York, said that it immediately initiated its incident response protocols when it discovered the incident.

The cyberattack occurred on Sept. 6, 2024, when an IT vendor of Boston Children's Health Physicians (BCHP) identified unusual activity on its systems. On Sept. 10, 2024, BCHP discovered that an unauthorized third party had also gained access to its network and had taken certain files.

According to BCHP's notice, the files involved in the breach included information pertaining to current and former employees, patients and guarantors. The breached data potentially included names, Social Security numbers, billing information, dates of birth, addresses, driver's license numbers, medical record numbers and health insurance information.

BCHP assured patients that its EHR systems remained on a separate network and were unaffected by the incident.

BianLian cyberthreat actors claimed responsibility for the cyberattack, threat monitoring firm Hackmanac said in a post on X, formerly Twitter.

The BianLian hacking group was the subject of a May 2023 alert by the FBI and the Cybersecurity and Infrastructure Security Agency. At the time, the agencies warned critical infrastructure entities about the group's record of targeting critical infrastructure and threatening negative legal and financial backlash if victims refused to pay the ransom.

BianLian has claimed responsibility for 60 confirmed ransomware attacks in 2024, according to data from Comparitech.

BCHP offered complimentary credit monitoring services to individuals whose Social Security or driver's license numbers were involved in the breach.

"This cyberattack has exposed more than enough information about patients, guarantors, and employees to cause plenty of problems for the parties that have had their information exposed," said Chris Hauk, consumer privacy champion at Pixel Privacy.

"Affected parties should definitely take advantage of the free credit monitoring and protection services offered by BCHP. They should also stay vigilant for phishing attacks via text or email with bad actors posing as officials from BCHP or other agencies."

As healthcare cyberattacks continue to have significant negative effects on the sector, organizations might consider taking additional steps to address third-party risk and guard against common attack methods.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.