While it’s never good news that another medical entity has fallen prey to a cyberattack, in this day and age, it is somewhat impressive when an entity responds promptly.
On October 4, Boston Children’s Health Physicians (BCHP), a medical practice in New York and Connecticut, mailed letters to affected current and former employee, patient, and guarantors. In a substitute notice on their website, they explained that their IT vendor notified them on September 6 that it had identified unusual activity in its systems.
On September 10, 2024, we detected unauthorized activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure. We also began an investigation with a third-party forensic firm and determined that an unauthorized third-party gained access to our network on September 10, 2024, and took certain files from our network.
The files acquired varied by individual and may have included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and/or limited treatment information.
The EMR system was not involved in this incident.
BCHP’s substitute notice does not indicate the total number of people affected, nor the date range of any patient data.
Additional information about mitigation services be offered can be found on Boston Children’s Health Physicians site and in the letter sent out to those affected.
BianLian Claims Responsibility
Yesterday, BianLian added BCHP to its leak site. They did not provide any proof of claims or estimate of the amount of files acquired, but they claim that they obtained:
- Finance data
- HR data
- Mailboxes & internal and external email correspondence
- Databases exports
- PII and PHI records
- Health insurance records
- Children’s and minors’ data
Their claims are generally consistent with what BCHP described for the types of PII and PHI involved.
BianLian does have a history of following through and leaking all data if their victims do not pay their demands, so those potentially affected may want to assume the worst and make sure they take steps to protect themselves, such as putting a security freeze on their credit report if their identity information was acquired, and checking any insurance explanation of benefits statements going forward to make sure their insurance information hasn’t been misused by others.