Harry Schein says 2023 cyber attack impacted over 166,000 individuals

U.S. healthcare solutions provider Henry Schein said the data breach it suffered last year compromised the sensitive personal information of more than 166,000 individuals.

In a filing with the Office of the Attorney General of Maine, Henry Schein said it identified a cyber security incident on October 14, 2023, that affected portions of its manufacturing and distribution businesses. The company conducted an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

While Henry Schein did not reveal how its network was breached, the company said its investigation revealed that the sensitive personal information of its employees were compromised during the incident.

The compromised data included names, addresses, phone numbers, email addresses, photographs, dates of birth, demographic and background information, government-issued identification numbers including Social Security numbers, driver’s license and state identification numbers, passport numbers, financial information including bank account information, credit card numbers, loan details, medical history, treatment, and insurance information, details of employment at the company, IP address, and more.

In an initial filing with the Maine state regulator, Henry Schein said that it had identified 29,112 individuals affected by the incident. However, in a recent filing, the company said that at least 166,432 individuals were affected by the breach.

Henry Schein has urged all its employees to remain vigilant and monitor their credit reports and financial statements for any suspicious activities and to report suspicious activities to relevant law enforcement authorities and their banks. The company is also providing two years of complimentary credit monitoring and identity theft protection services via Experian IdentityWorks to all affected individuals whose data was compromised during the incident.

The BlackCat/ALPHV ransomware group claimed responsibility for the cyber attack on the company and listed it as a victim on its data leak site. The group claimed to be in possession of 35 TB of stolen data and gave Henry Schein until November 3 to pay a ransom. The group later launched a second ransomware attack and re-encrypted the company’s servers. It is not clear if a ransom was paid to the criminal group.