Major blood center says thousands had data leaked in January ransomware attack

One of the largest independent blood centers serving over 75 million people across the U.S. began sending data breach notification letters to victims this week after suffering a ransomware attack in January. 

New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26. 

The organization left blank sections of the form in Maine that says how many total victims were affected by the attack but told regulators in Texas that 10,557 people from the state were impacted. In a letter on its website, New York Blood Center said the information stolen included some patient data as well as employee information. 

The information stolen during the cyberattack includes names, health information and test results. For some current and former employees, Social Security numbers, driver’s licenses or government ID cards and financial account information were also leaked. 

An investigation into the attack found that hackers accessed New York Blood Center’s network between January 20 and 26, making copies of some files before launching the ransomware. 

Founded in 1964, New York Blood Center controls multiple blood-related entities that collect about 4,000 units of blood products each day and serve more than 400 hospitals across dozens of states.

The organization also provides clinical services, apheresis, cell therapy, and diagnostic blood testing — much of which requires receiving clinical information from healthcare providers. The organization said some of this information was accessed by the hackers during the cyber incident. 

The investigation into the ransomware attack was completed on June 30 and a final list of victims that needed to be notified was compiled by August 12. 

New York Blood Center began mailing notification letters on September 5 but also posted a notice on its website and created a call center for those with questions.

Multiple blood donation and testing companies were attacked by ransomware gangs over the last year including OneBlood, Synnovis and South Africa’s national lab service.