Mail Scam Targeting Healthcare Organizations Claims Ransomware Ties
Healthcare organizations have reported receiving fraudulent extortion letters in the mail, with senders claiming to be part of the Russian ransomware group BianLian. In early March, the FBI’s Internet Crime Complaint Center (IC3) posted a warning that these letters, sent via the U.S. Postal Service, threaten to release sensitive patient and corporate data unless a ransom is paid.
The letters include a QR code linked to a Bitcoin wallet, demanding payments between $250,000 and $500,000 within ten days. Authorities haven’t found evidence to support these claims, and cybersecurity experts say the scam is likely a hoax.
Watch Your Mail
The American Hospital Association (AHA) confirmed that the scam letters bear a U.S.-based return address listed as “BianLian Group” in Boston. The AHA’s cybersecurity advisor, John Riggi, noted that it is highly unusual for a foreign ransomware group to send extortion demands via physical mail. He urged recipients to report incidents to the FBI and to preserve the letters and envelopes for forensic analysis.
While the FBI has found no connection between the senders of these letters and the actual BianLian ransomware group, organizations should:
- Notify corporate executives and staff about the scam.
- Educate employees on handling ransom threats. Learn more about Disaster and Recovery Planning.
- Verify network security and monitor for malicious activity. Conduct a Privacy Risk Assessment to assess your information security infrastructure.
Employee Training: Your Best Defense Against Threats
Staying informed about evolving security challenges with HIPAA Education and Literacy Training is crucial to avoiding potential threats. Many covered entities and business associates mistakenly believe that generic online HIPAA training is all they need for compliance. However, the HIPAA Privacy and Security Rules have specific requirements regarding workforce training, security reminders, and periodic updates.
New workforce members must be trained within a reasonable time after joining your organization. HIPAA Compliance training is also needed when a material change in your organization’s policies and procedures occurs. Training is also required if a need for it has been identified, for instance, when a risk analysis shows a vulnerability to phishing.
The FBI continues to monitor the situation and will provide further updates as necessary.
Identify Your Security Risks
Identify, evaluate, and mitigate potential privacy and security risks within your organization. PrivaPlan can thoroughly analyze your data systems, processes, and policies to help ensure compliance with applicable regulations and industry best practices.