New York-based pediatric group says hackers stole patients' sensitive personal data

New York-based pediatric group Boston Children’s Health Physicians said that a data security incident experienced by its IT vendor let threat actors gain access to the sensitive personal information of its current and former employees and patients.

 

In a data security incident notice posted on its website, Boston Children’s Health Physicians, which has over 120 primary care pediatricians and over 150 pediatric specialists throughout New York’s metropolitan area, the Hudson Valley and Connecticut, said that on September 6, its IT vendor notified hospital authorities about unusual activity in its internal network.

 

“On September 10, 2024, we detected unauthorised activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure,” BCHP said.
 
“We also began an investigation with a third-party forensic firm and determined that an unauthorized third-party gained access to our network on September 10, 2024, and took certain files from our network.”

 

BCHP said the compromised data included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and limited treatment information of current and former employees, patients, and guarantors.

 

The healthcare provider added that its electronic medical record systems weren’t impacted by the incident as it was hosted on a different server.

 

While BCHP is yet to share the number of affected individuals, it has started notifying those whose data was compromised during the incident. Also, it implemented additional safeguards to protect and monitor its systems and avoid such incidents in the future.

 

Furthermore, for individuals whose Social Security number or driver’s license numbers were compromised, the healthcare provider has offered complimentary credit monitoring and credit protected services.

 

Recently, the BianLian ransomware group claimed responsibility for the cyber attack on BCHP and listed it as a victim on its data leak site. The group claims to be in possession of confidential data exfiltrated from the healthcare provider’s network, including finance data, HR data, mailboxes and internal/external email correspondence, database exports, PII and PHI records, health insurance records, and data related to children and minors.

 

 

The ransomware group has not announced a ransom payment deadline so far, indicating that ransom negotiations are possibly underway.