The notorious BlackCat (ALPHV) ransomware gang proudly announced that it successfully infiltrated the extensive network of the prominent healthcare corporation, Henry Schein. This cyberattack resulted in the theft of a substantial amount of data, encompassing sensitive information such as payroll records and shareholder data.
Henry Schein, a healthcare solutions provider, and a member of the prestigious Fortune 500, operates across 32 countries and reported a substantial revenue of over $12 billion in 2022. The incident came to light on October 15 when Henry Schein was compelled to take critical systems offline in response to a debilitating cyberattack that primarily impacted its manufacturing and distribution divisions.
Responding swiftly, Henry Schein initiated precautionary measures, which included disabling certain systems and implementing strategies to mitigate the incident’s effects. Unfortunately, these actions did lead to temporary disruptions in some of the company’s business operations. In an official statement, they reassured that they are diligently working to resolve the situation and restore normalcy as soon as possible.
Despite the disruption to some business functions, Henry Schein emphasized that its Henry Schein One practice management software remained unaffected by the cyberattack. The company took the responsible step of notifying law enforcement authorities about the breach and subsequently engaged external cybersecurity and forensics experts to investigate the possibility of a data breach stemming from the attack.
In a letter published one week after disclosing the cyberattack, Henry Schein encouraged its customers to place orders through their dedicated representatives or specific telesales phone numbers.
Almost two weeks later, the BlackCat/ALPHV ransomware group asserted its control by adding Henry Schein to its dark web leak site, boldly declaring its successful breach of the company’s network and the theft of a staggering 35 terabytes of sensitive data.
The cybercriminals boasted about encrypting the company’s devices again, just as Henry Schein was on the verge of restoring its systems, citing failed negotiations as the trigger for their actions. The threat actors accused Henry Schein of neglecting the security of its clients, partners, and employees and failing to protect its own network.
As a sign of their intent, the BlackCat group announced that they would publish a portion of Henry Schein’s internal payroll data and shareholder files on their collections blog, effective from midnight.
The entry pertaining to Henry Schein on BlackCat’s data leak site was subsequently removed, raising the possibility of the company resuming negotiations or potentially contemplating paying the ransom.
It’s worth noting that the BlackCat ransomware operation first emerged in November 2021 and is strongly suspected to be a rebrand of the notorious DarkSide/BlackMatter group. Initially known as DarkSide, this cybercrime gang gained global notoriety for infiltrating Colonial Pipeline, triggering extensive law enforcement investigations worldwide.
More recently, a BlackCat affiliate, operating under the moniker “Scattered Spider,” claimed responsibility for the MGM Resorts breach, where they allegedly encrypted over 100 ESXi hypervisors after MGM Resorts refused to engage in ransom negotiations and took down its internal infrastructure.
In April 2022, the FBI linked the BlackCat group to successful attacks on more than 60 organizations worldwide between November 2021 and March 2022, underscoring the significance of this cyber threat in the current landscape.
To prevent incidents like this, organizations should prioritize robust cybersecurity measures. This includes implementing multi-layered security protocols, conducting regular security assessments, and regularly updating and patching software and promptly addressing vulnerabilities is essential. Employing intrusion detection and prevention systems, as well as encrypting sensitive data, can enhance overall security. Additionally, organizations should promptly involve law enforcement and cybersecurity experts in case of an attack.
