New York Blood Center Enterprises (NYBCe) recently reported a significant data breach linked to a ransomware attack that occurred in January 2025. This incident has impacted an undisclosed number of individuals, as unauthorized actors managed to access a selection of confidential files belonging to the organization. The breach has raised serious concerns, prompting the organization to alert those potentially affected.
NYBCe plays a crucial role in the healthcare system, supplying blood to around 200 hospitals throughout the Northeast while also offering various clinical services like apheresis, cell therapy, and diagnostic blood testing. This makes the potential ramifications of the breach particularly concerning for public health.
On January 26, 2025, NYBCe detected a cybersecurity breach and acted swiftly to secure its systems. During the six-day duration of the attack, the unauthorized party retained access to the blood center’s network, posing further risks to sensitive information. A breach notice filed with the Maine Attorney General’s Office outlined that affected individuals in Maine may have had their names, Social Security numbers, driver’s license numbers, financial account details, and employment-related information compromised.
In a notice posted on its website, NYBCe acknowledged its limitations in directly notifying affected individuals, stating, “We do not collect or maintain contact information for individuals for whom we provide clinical services.” As a result, they have encouraged those who suspect they may be affected to reach out to a dedicated call center for further assistance.
NYBCe expressed concern regarding the breach, assuring those impacted that the matter is taken very seriously. The organization is actively enhancing its security protocols and technical safeguards to mitigate the risk of future incidents. Current measures focus on strengthening defenses against tactics commonly associated with ransomware attacks, which may include initial access techniques, persistence, and privilege escalation tactics observable within the MITRE ATT&CK framework.
Despite the proactive measures being adopted, NYBCe’s official breach filing has yet to appear on the Office for Civil Rights’ breach portal, which is instrumental in keeping track of incidents involving patient data. This delay may raise additional questions about the transparency of the organization’s response.
This incident is not isolated, as NYBCe joins a disturbing trend among blood centers that have experienced ransomware attacks in recent months. For instance, Octapharma, another blood plasma provider, fell victim to a similar cyberattack in April 2024, leading to significant operational disruptions across over 190 plasma donation centers in the United States and Europe. Furthermore, in July 2024, the nonprofit OneBlood also experienced a ransomware incident, which forced the organization to operate at a significantly reduced capacity.
In light of these occurrences, the American Hospital Association and the Health Information Sharing and Analysis Center issued a joint bulletin highlighting the critical supply chain vulnerabilities within the healthcare sector. The bulletin emphasized essential strategies for ensuring resilient backup plans in the event of such cyber incidents, further underscoring the importance of robust cybersecurity measures in the industry.
The growing frequency and scale of ransomware attacks in healthcare signal an urgent need for organizations to evaluate their cybersecurity frameworks. As the landscape continues to evolve, proactive defenses and preparedness will be paramount for mitigating risks to sensitive patient information.
Jill McKeon has been reporting on healthcare cybersecurity and privacy issues since 2021.
