Data Breach Notification,
Data Security,
Fraud Management & Cybercrime
Now-Dormant Gang Claimed North Carolina, Florida Groups on Data Leak Site This Year
In a troubling turn of events, two medical facilities in the United States—one located in North Carolina and the other in Florida—are in the process of notifying over 700,000 patients regarding the theft of their sensitive health information in separate cyberattacks earlier this year. The ransomware group BianLian, now believed to be inactive, had listed both entities as victims on their dark web site.
Goshen Medical Center, a federally qualified health center with 38 locations in Eastern North Carolina, reported its cyber incident on September 17 to both federal and state authorities, stating that almost 456,400 individuals were affected. Meanwhile, Medical Associates of Brevard, based in Melbourne, Florida, disclosed to regulators on September 5 that approximately 247,000 patients had their data compromised in the hack.
Both organizations appear to have been victimized by BianLian, with Goshen being named on the group’s site in March and MAB earlier in January.
BianLian’s Inactivity and Potential Motivations
As reported by security monitoring platform Ransomware.live, BianLian has seen an alarmingly high number of victims, numbering 553 since its emergence in mid-2022. The most recent publicly identified victim was noted in March, coinciding with an FBI advisory warning corporate leaders of fraudulent letters claiming sensitive data theft by the ‘BianLian Group.’ These letters demanded payments ranging from $250,000 to $500,000, but investigations suggest these extortion attempts may be linked to individuals outside of the actual ransomware organization.
Grayson North, a principal threat intelligence consultant at GuidePoint Security, elaborated that BianLian has not claimed any new victims since March 31, suggesting a potential rebranding effort to distance itself from negative perceptions created by the fraudulent mail threats.
Details of the Breaches
In its breach notification, Goshen reported detecting suspicious activity in its IT network on March 4 and discovered that unauthorized access to certain files occurred as of February 15. Following a thorough investigation, it indicated that no misuse of the potentially compromised personal health information had been observed, even though data such as names, addresses, dates of birth, Social Security Numbers, and more were deemed vulnerable.
On the other hand, Medical Associates of Brevard acknowledged in its notice that its systems endured a “criminal cyberattack”, which also led to potential exposure of names, Social Security numbers, and various health-related information.
Current Cybersecurity Landscape
North emphasized that despite the apparent dormancy of the BianLian group, the healthcare sector remains a significant target, with 300 reported incidents attributed to ransomware attacks from January to August 2025, according to GuidePoint’s data. The industry’s vulnerabilities are further exploited by groups like INC Ransom and Qilin, which have been reported to adopt a ransomware-as-a-service model to maximize their impact.
He noted that many successful attacks often involve the exploitation of weak or misconfigured security measures, especially concerning VPNs and other perimeter defenses. Organizations are encouraged to implement robust multi-factor authentication and enforce stringent password policies to mitigate these risks effectively.
In conclusion, as the threat landscape continues to evolve, healthcare organizations must remain vigilant and proactive in fortifying their security postures to protect sensitive patient data against increasingly sophisticated cyber threats.
