Boston Children’s Health Physicians (BCHP), a pediatric group practice, is notifying patients of a cyberattack that exposed their protected health information (PHI). The cyberattack targeted a BCHP business associate – an IT vendor with access to its servers and data. BHCP employs more than 300 clinicians and provides care to newborns and children in Connecticut and New York.
BianLian Group Demands Ransom
According to BleepingComputer, the BianLian ransomware group has claimed responsibility for the attack and threatened to expose the data if not paid a ransom. The group has listed Boston Children’s Health Physicians on its dark website, claiming to have the practice’s data, including finance data, HR data, mailboxes and internal and external email correspondences, database exports, protected health information, and personally identifiable records, health insurance records, and minors’ data.
Boston Children’s Health Physicians Explains Incident
In its website notice, BCHP explained that on September 6, 2024, its IT vendor informed them that it had identified unusual network system activity. On September 10, 2024, BCHP detected unauthorized activity on limited parts of its network; it implemented its incident response protocols, including shutting down its systems as a protective measure. BCHP began an investigation with a third-party forensic firm and determined that an unauthorized third party accessed its network on September 10, 2024, and took certain files. BCHP did not identify the vendor.
BCHP’s description of the exposed data is less expansive than that of the ransomware group. Its notice explains that the compromised PHI includes:
“current and former employee, patient, and guarantor information. Information varied by individual and may have included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and/or limited treatment information.”
BHCP clarified that its EHR systems were unaffected by the incident because they are located on a separate network.
BHCP began mailing notices to affected patients on October 4, 2024. It has not yet said how many patients were affected.
Business Associates Must Protect Patient Data
BHCP does not name the IT vendor targeted by BianLian. As a third-party vendor with access to PHI, the vendor is a HIPAA business associate subject to HIPAA law. The vendor must follow the HIPAA Security Rule and have policies, procedures, risk analysis, and a risk management plan.
BHCP notes that it was not the only customer affected by the incident; several other customers of the vendor were also hit. This is unsurprising because cyberattacks on business associates nearly always affect multiple organizations. One successful attack can open doors to all the vendor’s customers.
If the data breach affected 500 or more individuals, the Office for Civil Rights (OCR), which oversees HIPAA compliance, will investigate. The investigation will identify the vendor and scrutinize the vendor’s level of compliance.
Ransomware Threats Plague Healthcare
This breach highlights that ransomware continues to be a formidable threat to healthcare organizations holding patient data.
Paul Hales, an attorney with the Hales Law Group and author of The HIPAA E-Tool®, notes that “the threat of criminal ransomware attacks has grown exponentially. Equally alarming is the increased sophistication of the malicious software and the criminal schemes. Both raise the potential for victim harm.”
For several years, federal agencies charged with protecting healthcare data have warned the healthcare industry about cyber threats like ransomware. The FBI, CISA, and HHS publish specific Alerts and general guidance on strengthening cybersecurity and reducing ransomware attacks. See StopRansomware Guide Has the Latest and Best Advice.
The BianLian group was among the top three ransomware groups targeting the healthcare industry by victim volume during the first nine months of 2024, according to GuidePoint Security, which recently released a threat intelligence report on ransomware trends in the third quarter of 2024. LockBit and RansomHub were also among the top three hitting healthcare this year.
There are many more active ransomware groups, and they’ve become more sophisticated and aggressive. ALPHV/Blackcat was a major threat actor against Change Healthcare in January 2024 and reportedly received a $22 million ransom payment from Change Healthcare. Three months later, RansomHub demanded the double extortion ransom from Change Healthcare. Cybersecurity experts believed RansomHub may have helped with the initial attack but hadn’t received a share of the ransom payment. Since it retained some of the stolen data, RansomHub wanted payment. The Rhysida ransomware-as-a-service group hit Lurie Children’s Hospital in Chicago in February.
Ransomware Skyrocketed Over the Past Four Years
This week, the HHS Office for Civil Rights (OCR) released new guidance on ransomware and the HIPAA Security Rule. OCR said the agency has seen a 102% increase in major ransomware breaches reported from 2019 to 2023.
“Cyberattacks, including ransomware, continue to be the greatest cybersecurity threat facing the healthcare industry and the PHI it holds,” said Nicholas Heesters, senior advisor for cybersecurity at HHS OCR, in the YouTube video. Heesters noted that OCR has investigated numerous regulated entities where cybersecurity attacks caused healthcare data breaches.
“Often, these investigations uncover non-compliance with provisions of the HIPAA Rules that could have, if properly implemented, prevented a ransomware attack or at least lessened the severity of the impact of such an attack,” Heesters said.
Use the HIPAA Security Rule to Protect Patient Privacy
Following the Security Rule is the best way to defend against cybercrime and protect patients’ health data.
HIPAA requires administrative, physical, and technical safeguards to keep protected health information secure and private. Regulated entities can use these safeguards to ensure they do everything possible to fight against cyber threats.
An annual risk analysis and an ongoing risk management plan help maintain the highest level of protection. Covered entities like BCHP must conduct due diligence with their business associates to ensure they follow HIPAA.
Organizations grow and change with new staff, new or different equipment or software, and new vendors. As circumstances change, the risk management plan will need to be adjusted. Review and refresh the risk analysis at least once a year.
Your preparations and diligence today will protect your data and save time and money later, even if a breach occurs.