Boston Children’s Health Physicians confirms September data breach

A prominent organization that helps connect people with doctors in New York and Connecticut warned patients that a breach in September exposed troves of sensitive information.

Boston Children’s Health Physicians — which helps pair children with more than 300 doctors through 60 regional offices as part of the Boston Children’s Hospital network of care — said in a notice that it first was notified of unusual activity on its systems on September 6.

By September 10, company officials discovered further activity and shut down their systems. An investigation revealed that the hackers took files off of their network that contained patient information like Social Security numbers, addresses, medical record numbers, health insurance information, billing data and treatment information. 

The organization began warning patients about the breach on October 4 through mailed letters and created a call center to assist those affected.

Boston Children’s Health Physicians did not respond to requests for comment about whether they dealt with a ransomware attack or how many people were affected. It had not filed documents with state or federal regulators as of Thursday. 

The attack was claimed by the BianLian ransomware gang on Wednesday. The group caused outrage last year when it attacked global nonprofit Save The Children.

BianLian was spotlighted by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) last year after targeting multiple U.S. critical infrastructure sectors since June 2022.

Paul Bischoff, a cybersecurity expert at Comparitech, said the group has claimed at least 60 attacks in 2024.

“These attacks affected nearly 2 million records in total, and included some of the biggest breaches in the US healthcare sector,” he said.

Bischoff added that he has tracked 71 confirmed ransomware attacks on US healthcare companies, compromising nearly 7.3 million records. 

Cyberattacks on healthcare entities have continued to cause widespread damage over the last year, with Microsoft revealing this week that it saw 389 U.S.-based healthcare institutions hit with ransomware over the last fiscal year. 

This week, Healthcare Services Group warned the U.S. Securities and Exchange Commission of a cyberattack and Gryphon Healthcare told state-level regulators that nearly 400,000 people had information leaked during a cyber incident in July. Texas Tech Health El Paso said on Tuesday that it has been dealing with a cyberattack for weeks that has caused IT outages.  

Boston Children’s Hospital itself has been a frequent target for hackers, dealing with multiple incidents over the last ten years. 

FBI director Christopher Wray previously said a June 2021 cyberattack by Iranian government-backed hackers was “one of the most despicable cyberattacks” he had ever seen. Boston Children’s Hospital also dealt with a high-profile distributed denial of service attack in 2014.