Hospitals and health systems receive fake data extortion letters 

Mar 05, 2025 - 03:51 PM
cybersecurity-hand-lock-graphic_900x400

In recent days, the AHA and the FBI have received multiple reports of hospitals and health systems receiving data extortion letters delivered through the U.S. Postal Service and originating domestically. The letters mostly purport to be from the Russian ransomware group known as BianLian. The letters also contain a US-based return address of “BianLian Group” originating from Boston, the FBI said. The threat actors claim to have a large amount of sensitive patient health information and other personally identifiable information, and threaten to publish the data unless a ransom is paid. No proof of stolen information or contact information is offered by the actors, only a ransom demand and payment method. The AHA has engaged with recipient organizations and the FBI on this issue.   
 
“It is highly unusual and highly unlikely that a real foreign ransomware group would send hard copy letters through the USPS,” said John Riggi, AHA national advisor for cybersecurity and risk. “I have personally reviewed the letters and discussed the situation with some of the victim organizations and the FBI. The consensus reached was that these extortion attempts were most likely hoaxes. If a health care organization receives such a letter it is recommended that they contact their local FBI office  and have a report filed  with the agency. It is also recommended that the letter and accompanying envelope be handled minimally and preserved in a larger paper envelope for possible fingerprint and forensic examination by law enforcement. Further information on this issue is forthcoming by FBI.”  

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity

Related News Articles

Headline
Tactics by Scattered Spider cybercriminals highlighted in joint advisory 
The FBI, Cybersecurity and Infrastructure Security Agency and international agencies July 29 released a joint advisory on recent tactics by the Scattered…
Headline
Microsoft says China-based threat actors behind SharePoint attacks 
Microsoft July 22 released an update on the ongoing cyberattacks to SharePoint servers used within organizations, attributing the incidents to China-based…
Headline
Agencies warn of activity by Interlock ransomware
The FBI, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center…
Headline
Microsoft issues alert on vulnerabilities in ongoing SharePoint attacks 
Microsoft July 19 issued an alert about active attacks from vulnerabilities targeting SharePoint servers used within organizations. The incidents have not…
Headline
AHA blog: Why and How to Incorporate Physical Security Risk into Your Enterprise Risk Management
In his latest AHA Cyber and Risk Intel blog, Scott Gee, AHA deputy national advisor for cybersecurity and risk, explains how hospitals can prepare for and…
AHA Cyber Intel
Why and How to Incorporate Physical Security Risk into Your Enterprise Risk Management
In today’s heightened threat environment, driven by domestic and geopolitical issues, it is more critical than ever for hospitals to prepare for and mitigate…