New York Blood Center Enterprises Notifies Individuals Affected by January Ransomware Attack
New York Blood Center Enterprises, the operator of 19 blood donor centers in New York and New Jersey, has notified the Maine Attorney General about its January 2025 ransomware attack and has provided further information on the findings of its investigation. As previously announced and reported below, the attack was detected on January 26, 2025. The forensic investigation confirmed that an unauthorized third party had access to its computer network between January 20 and January 26, 2025, and obtained a copy of a subset of files stored on the network.
The files were reviewed, and New York Blood Center Enterprises obtained a preliminary list of individuals whose names and sensitive data were involved on June 30, 2025. The draft list was reviewed, and “an extensive analysis” was conducted to develop a final list of the individuals to notify. The final list was obtained on August 12, 2025. The types of information involved vary from individual to individual and may include names in combination with Social Security numbers, driver’s license numbers, other government identification card numbers, and/or financial account information.
New York Blood Center Enterprises started mailing notification letters to the affected individuals on September 5, 2025, and individuals whose Social Security number or driver’s license number was involved have been offered one year of complimentary credit monitoring and identity theft protection services. New York Blood Center Enterprises said it has enhanced its security protocols and technical safeguards to further protect and monitor its systems.
The notification letters do not mention ransomware, although New York Blood Center Enterprises previously stated that ransomware was involved. The threat group responsible for the attack has not been disclosed, and no group is known to have claimed responsibility for the attack. The notification letter to the Maine Attorney General states that 8 Maine residents were affected, but the breach report does not state how many individuals were affected in total. The HHS’ Office for Civil Rights does not yet show the breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Update: New York Blood Center Enterprises has confirmed that 193,822 individuals were affected.
January 31, 2025: New York Blood Center Enterprises Grappling with Ransomware Attack
A ransomware group has attacked another U.S. blood donation organization. New York Blood Center Enterprises (NYBCe) is one of the largest community-based, non-profit blood collection and distribution organizations in the United States. NYBCe operates 19 donor centers in New York and New Jersey and provides blood and stem cell products to around 70 hospitals in the area. Through its operating divisions in Connecticut, Delaware, Kansas, Minnesota, Missouri, Nebraska, Rhode Island, and Wisconsin, transfusion-related services are provided to more than 500 hospitals nationwide serving around 75 million people.
On Sunday, January 26, 2025, suspicious activity was identified in its IT systems. Third-party cybersecurity experts were engaged to investigate, and it was confirmed that the suspicious activity was due to a ransomware attack. Steps were taken to contain the threat and eject the threat actor from its network, and work is underway to restore its systems as quickly and safely as possible. Law enforcement has been notified, workarounds are being implemented to restore its services and fulfill orders, and NYBCe has been in regular communication with its hospital partners and is working on minimizing disruption to blood supplies.
At this stage, NYBCe is unable to provide a timeline for when its systems will be restored. While the incident has affected the functionality of its IT systems, all blood donor centers remain operational and its community blood drives are continuing with donations being accepted; however, the IT issues caused by the ransomware attack mean processing times are likely to be longer than normal at its donation centers and blood drives and some donation center activities and blood drives may need to be rescheduled. The attack could not have come at a worse time. On January 21, 2025, just a few days before the attack, NYBCe declared a blood emergency due to a 30% reduction in blood donations in recent weeks that has caused a blood shortage in the region. Some blood drives have had to be canceled as a result of the attack.
It is currently unclear which ransomware group is behind the attack and whether donor information was stolen. NYBCe has been providing updates on its website and will issue notifications to any affected individuals if it is confirmed that personal information has been stolen. Ransomware attacks on blood collection and distribution organizations can cause serious disruption to blood supplies. A July 2024 ransomware attack on the Florida-based blood organization, OneBlood, disrupted blood supplies to the 350 hospitals it serves in Alabama, Florida, Georgia, and North and South Carolina, forcing them to implement their critical blood shortage protocols.
A ransomware attack on a pathology service provider to the UK’s NHS in June 2024 caused major disruption to blood transfusions in London and prolonged blood shortages due to the significant reduction in capacity. A ransomware attack on the Swiss pharma firm OctaPharma in April 2024 resulted in the closure of all blood plasma donation centers in the United States for several weeks.
