Share this article on:
A major cyber attack on global healthcare organisation Henry Schein has resulted in personal financial information such as credit card details being potentially exposed.
The healthcare distributor first flagged the attack as a “cyber incident” on 15 October but updated it to a cyber attack on 13 November.
“Henry Schein is now aware that a data breach has occurred,” the company wrote in a notice.
Eleven days prior, the infamous ALPHV ransomware group claimed responsibility for the data breach, saying it had stolen 35 terabytes of data.
“We are pleased to announce that we have successfully encrypted Henry Schein’s network and extracted 35 terabytes of sensitive data,” the threat group said on its leak site.
According to Henry Schein, the information potentially accessed by the threat group included both personal and financial information, including bank account numbers, credit card numbers, “and other sensitive information may have been exposed to third parties”.
“We do not have all the details of what data may have been compromised,” it said.
The company also informed suppliers that it is “aware that the bank account information for a limited number of suppliers was misused”.
ALPHV is a ransomware group known for targeting healthcare providers and other companies in the healthcare industry. While Henry Schein was originally listed on the threat group’s leak site, Cyber Daily has observed that the listing is no longer there.
ALPHV said it would publish the company’s data on 3 November; however, there is no evidence that this occurred.
It is hard to conclude why the listing was taken down and why the healthcare distributor has only updated its notice in the last few days, over a week after the ransom was due.
This could indicate that the company and the threat actor are negotiating or that the threat group lied about the amount of data it had exfiltrated, or falsely took credit. However, this is just speculation, and there is no way of reaching a definite conclusion at this stage.
ALPHV’s posts discussing Henry Schein’s response to the ransom requests suggest that Henry Schein is trying to buy time and does not look ready to pay.
“We were in contact with Henry’s negotiators name Coveware Company … It seems like they are sticking to their position of buying more time, as they have been from the beginning,” said ALPHV.
“Last week, we warned them that if they continued this behavior, we would take action, and we did,” it continued, saying that it encrypted Henry Schein’s systems once again as punishment, “causing Coveware’s client to lose an additional two weeks of business”.
ALPHV said that the “amateur approach” has cost Henry Schein over US$150 million in operations.