Boston Children’s Health Physicians (BCHP), part of the Boston Children’s Hospital network, confirmed that a data breach in September exposed sensitive patient information, including Social Security numbers, medical records, billing data, and treatment details. The organization, which connects families with over 300 doctors through 60 regional offices in New York and Connecticut, first detected unusual activity on September 6 and shut down its systems by September 10.
Hackers took files off BCHP’s network during the breach, which was later claimed by the notorious ransomware gang BianLian. This group, spotlighted by the FBI and CISA, has wreaked havoc on U.S. critical infrastructure since 2022, attacking organizations in various sectors, including healthcare.
In response to the breach, BCHP began notifying patients on October 4 and set up a call center to assist those affected. However, the organization has remained tight-lipped about the specific nature of the attack, leaving questions about whether ransomware was involved or the total number of people impacted.
Cybersecurity experts are raising alarms over the growing frequency and sophistication of ransomware attacks on healthcare providers. Steve Hahn, VP of Americas at BullWall, emphasized the serious public health risks posed by these incidents:
“There is a reason HIPAA has strict compliance guidelines, and cybersecurity is supremely important to the security of hospital records. Ransomware attacks on hospitals continue to rise and are a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services but always compromise the security of sensitive patient information.”
Paul Bischoff, a cybersecurity expert at Comparitech, noted that BianLian has claimed at least 60 ransomware attacks in 2024 alone, with nearly 2 million records affected. “So far this year, we’ve tracked 71 confirmed ransomware attacks on U.S. healthcare companies, compromising nearly 7.3 million records,” Bischoff said.
BCHP’s breach is part of a broader wave of cyberattacks on healthcare institutions, which have increased sharply in the past year. This week, both Healthcare Services Group and Gryphon Healthcare disclosed significant data breaches to regulators, affecting hundreds of thousands of people. In Texas, Texas Tech Health El Paso is grappling with ongoing IT outages after a weeks-long cyberattack.
The healthcare industry, a frequent target for ransomware gangs, is often ill-prepared to defend against these sophisticated attacks. Hospitals rely on extensive IT infrastructures and third-party providers to deliver essential services, making them vulnerable. Jim Routh, Chief Trust Officer for Saviynt, explained:
“Health care providers, by definition, rely on a wide diversity of IT components supported on a 24×7 basis with staff with limited resources to protect against sophisticated ransomware attacks. Healthcare professionals would be well served by an investment in identity security capabilities focused on the many third parties that require access to healthcare support systems in the delivery of care.”
While BCHP has not yet confirmed if they paid a ransom, Jim Doggett, CISO of Semperis, warned against paying up. He pointed to Semperis’ recent ransomware report, which found that nearly 25% of hospitals that paid a ransom received corrupted decryption keys or none at all.
“Paying ransoms isn’t a winning proposition for hospitals,” Doggett said. “All hospitals and any organization, for that matter, should fight back before they are attacked. They should assess what their critical systems are, in peacetime before an attack.”
As BCHP continues its recovery efforts, the breach serves as a stark reminder of the challenges healthcare providers face in securing patient data. Chris Hauk, Consumer Privacy Champion at Pixel Privacy, stressed the importance of vigilance for those affected:
“This cyberattack has exposed more than enough information about patients, guarantors, and employees to cause plenty of problems for the parties that have had their information exposed. Affected parties should definitely take advantage of the free credit monitoring and protection services offered by BCHP.”
The increasing frequency of ransomware attacks on healthcare is raising alarms among cybersecurity experts, regulators, and patients alike. Whether through stricter compliance guidelines or advanced cybersecurity measures, experts agree that healthcare institutions must urgently rethink their approach to cybersecurity, operating under the assumption that attacks are inevitable.