25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

BianLian Threat Group Claims Responsibility for Cyberattack on Boston Children’s Health Physicians

Posted By on Oct 21, 2024

Boston Children’s Health Physicians (BCHP), a Valhalla, NY-based multi-specialty pediatric group serving newborns and children in New York and Connecticut, has confirmed that its IT vendor (ATSG Inc.) fell victim to a cyberattack. The IT vendor notified BCHP on September 6, 2024, that unusual activity had been identified in the IT vendor’s systems. On September 10, 2024, BCHP identified unauthorized activity within its own network and immediately implemented its incident response protocols, which included shutting down systems as a protective measure. Assisted by a third-party digital forensics firm, BCHP learned that on September 10, 2024, an unauthorized third party gained access to certain parts of its network and exfiltrated files that included information related to current and former employees, patients, and guarantors.

BCHP has posted a substitute breach notice on its website that confirmed that the information in those files may have included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and limited treatment information. Its electronic medical record system was unaffected. Individual notification letters started to be sent to the affected individuals on October 4, 2024, less than a month after the attack was first detected. The incident was reported to the HHS’ Office for Civil Rights by the IT vendor as involving the protected health information of 909,469 patients, and employee data was also compromised. Approximately 918,000 individuals in total were affected by the breach. BCHP said it has implemented additional safeguards to prevent similar incidents in the future and has improved monitoring of its systems for unauthorized access.

Individuals who had their Social Security and/or driver’s license numbers compromised in the incident have been offered complimentary credit monitoring services. Anyone receiving a notification letter should ensure they sign up for those services as a matter of urgency to protect themselves against misuse of their information and should monitor their statements from their health insurers and report any services listed that have not been received.

BCHP did not disclose further details of the attack, such as the threat actor involved; however, the BianLian threat group has claimed responsibility for the attack and has added BCHP to its dark web data leak site. BianLian is a threat group that has been active since at least June 2022 that actively targets critical infrastructure entities, including healthcare providers. The group is known to use double extortion tactics, where sensitive data is exfiltrated and files are encrypted, although the group has largely switched to extortion-only attacks, skipping file encryption. Payment of the ransom is required to prevent the stolen data from being listed on its data leak site. According to Guidepoint Security, BianLian is one of the top three threat groups targeting the healthcare sector this year. The dark web data leak site listing claims the data stolen in the attack included financial information, HR data, database exports, internal and external email communications, health insurance records, and the protected health information of minors.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

On October 18, 2024, the HHS’ Office for Civil Rights (OCR) published a video presentation on ransomware prevention and explained that ransomware-related data breaches increased by 102% between 2019 and 2023. The video provides further information on the resources available to HIPAA-regulated entities to help them improve their defenses. Nicholas Heesters, OCR’s senior advisor for cybersecurity, warned that OCR’s investigations of ransomware-related data breaches at HIPAA-regulated entities have uncovered noncompliance with certain provisions of the HIPAA Rules, and had those entities been fully compliant, data breaches could have been prevented.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist