Henry Schein, a prominent healthcare solutions provider and Fortune 500 company, has disclosed a significant data breach over a year after experiencing at least two ransomware attacks. The incidents were claimed by the BlackCat (ALPHV) ransomware gang, affecting over 160,000 individuals' personal information.
Henry Schein Inc. publicly announced the cybersecurity incident on October 15, 2023, but did not begin mailing notices until October 16, 2024.
One year after the first security incident, Henry Schein confirmed in a data breach notification to the Maine Attorney General that the ransomware group stole personal data from 166,432 individuals during these incidents.
According to the breach notification, the investigation determined that personal information, including unspecified sensitive data, was compromised. However, expert firm Federman & Sherwood, which investigates Henry Schein, Inc. for the 2023 data breach, said that potentially exposed details include full name, Social Security Number, and other sensitive information.
In 2023, Henry Schein faced considerable disruption due to cyberattacks that led to some systems being taken offline. On October 15, the company experienced an attack that impacted its manufacturing and distribution operations. Although specifics were not disclosed, the BlackCat ransomware group claimed responsibility, alleging they had exfiltrated 35 TB of sensitive data.
After nearly a month, on November 22, the company endured another attack by the same ransomware gang. The threat actors claimed to have encrypted Henry Schein's network again following unsuccessful ransom negotiations and even threatened a third attack. Although it's unclear if this final threat was executed, data stolen during the attacks was released on the gang's leak site.
In response to the breach, Henry Schein is offering impacted individuals a complimentary 24-month membership to Experian's IdentityWorksSM. This service is designed to help monitor credit history and detect potential signs of fraud, providing some level of protection to those affected.
ALPHV was shut down at the beginning of the year, but it was seemingly replaced by RansomHub, a ransomware-as-a-service (RaaS) active since February. The threat actor hit Change Healthcare earlier this year, and the data breach was posted on RansomHub’s leak website after ALPHV disappeared.