The BianLian ransomware group has claimed the cyberattack on Boston Children’s Health Physicians (BCHP) and threatens to leak stolen files unless a ransom is paid.

BHCP is a network of over 300 pediatric physicians and specialists operating over 60 locations across New York’s Hudson Valley and Connecticut, offering patient care in clinics, community hospitals, and health centers affiliated with Boston Children’s Hospital.

According to the announcement BHCP published on its website, a cyberattack compromised its IT vendor on September 6 and a few days later BHCP detected unauthorized activity on its network.

“On September 6, 2024, our IT vendor informed us that it identified unusual activity in its systems. On September 10, 2024, we detected unauthorized activity on limited parts of the BCHP network and immediately initiated our incident response protocols, including shutting down our systems as a protective measure.” – BHCP

The investigation that followed, conducted with the help of a third-party forensic expert, confirmed that the threat actors had gained unauthorized access to BHCP systems and also exfiltrated files.

The exposure impacts current and former employees, patients, and guarantors. The exposed data includes the following, depending on the information customers provided to BHCP:

• Full names
• Social Security numbers
• Addresses
• Dates of birth
• Driver’s license numbers
• Medical record numbers
• Health insurance information
• Billing information
• Treatment information (limited)

BHCP clarifies that the cyberattack did not impact its electronic medical record systems, as they are hosted on a separate network.

Individuals confirmed to have been affected by the incident will receive a letter from BHCP by October 25. Those who had their SSN and driver’s license exposed will also receive credit monitoring and protection services.

BianLian claims the attack

Earlier this week, the BianLian ransomware group claimed the attack by ading BHCP to their extortion portal.

The threat actors claim to have finance and HR data, email correspondence, database dumps, personally identifiable and health records, health insurance records, and data related to children.

The threat actors have not leaked anything yet, and there is no deadline for exposing the stolen information, indicating that they still expect to negotiate with BHCP.

Attacking children healthcare organizations and stealing the data of minors is typically avoided by ransomware groups, or at least they claim so, but some threat actors lack the moral guidelines to draw the line at that.

Earlier this year, the Rhysida ransomware group demanded a ransom payment of $3.6 million from Lurie Children’s Hospital in Chicago after stealing 600GB of sensitive data from its systems and causing operational disruptions that led to delays in medical care.