Ransomware attack at New York blood services provider – donors turned away during shortage crisis
400 hospitals and med centers across 15 states rely on its products
New York Blood Center Enterprises (NYBCe) is currently in its fifth day of handling a ransomware attack that has led to system disruption.
Limited information is known at present, other than the usual boilerplate details which readers have come to expect from ransomware incident disclosures.
The breach was detected on January 26 and NYBCe called in outside experts to assist with the remediation.
The non-profit says in a statement: "We took immediate steps to help contain the threat and are working diligently with these experts to restore our systems as quickly and as safely as possible. Law enforcement has been notified.
"We understand the critical nature of our services, and the health of our communities remains our top priority. We remain in direct communication with our hospital partners and are implementing workarounds to help restore services and fulfill orders.
NYBCe supplies over 1 million blood products to more than 400 hospitals and medical facilities across New York, New Jersey, and 15 other states every year.
"We remain incredibly grateful for the generous response of our greater blood community – including our hospital partners, hospital associations, blood centers across the country, the AABB Interorganizational Task Force, and our donors – who have all come together to help advance our shared mission," the statement adds.
The organization still doesn't know when it will be back up and running fully. It said it's trying to restore as soon as possible, but only when it's safe to do so.
The incident, which hasn't yet been claimed by a known cybercrime group, has led to the cancellation of blood donor and blood drive appointments. These will be rescheduled for a later date.
The attack comes amid pre-existing urgent appeals for blood donors as reserves reach critically low levels. NYBCe's website displays a bold-red banner declaring a "blood emergency."
The emergency was declared just five days before the attack, resulting from a 30 percent drop in donations "in recent weeks," and an "alarmingly low donor turnout" around the holiday period.
Appealing for donations of all blood types, it said types O-negative and B-negative were in especially short supply – down to just 1-3 days' worth.
"We are still accepting blood donations, but processing times may be longer than normal at donation centers and blood drives," NYBCe's ransomware disclosure states. "We are in direct communication with our donor centers, sponsor organizations, and donors to share updates as appropriate."
First London, now New York
Onlookers will be hoping the attack isn't as devastating as the one on Synnovis last year, a pathology services provider to major London hospitals.
- Enzo Biochem settles lawsuit over 2023 ransomware attack for $7.5M
- Another 'major cyber incident' at a UK hospital, outpatients asked to stay away
- Ransomware infection cuts off blood supply to 250+ hospitals
- Ransom gang claims attack on NHS Alder Hey Children's Hospital
The attack is frequently cited by the UK government as among the worst the country has faced in recent times, with thousands of appointments and procedures delayed or altered due to blood supply shortfalls. The group responsible, Qilin, said it had no regrets.
The healthcare industry is frequently targeted by cybercriminals, however. The golden combination of limited IT budgets, legacy tech, and the demand for constant uptime makes hospitals and their critical suppliers like NYBCe the perfect targets for ransomware.
Microsoft published data in October revealing that nearly 400 US healthcare organizations were hit by ransomware last year, with downtime costs running as high as $900,000 a day.
It said the average payment made in these scenarios stood at $4.4 million, although costs can reach much headier heights – UnitedHealth spent more than $2 billion on various aspects of its recovery.
Healthcare outcomes also plummet when facilities are hit with ransomware, especially with time-sensitive conditions such as strokes and cardiac arrests, the numbers showed.
According to one study Microsoft cited, the number of confirmed strokes at hospitals experiencing a ransomware attack shot up 113.6 percent. The number of cardiac arrests rose 81 percent, and the survival rates for out-of-hospital cardiac arrests with favorable neurological outcomes plummeted from a typical 40 percent to 4.5 percent. ®