New York Blood Center Enterprises discloses data breach

New York Blood Center Enterprises, or NYBCe, notified an undisclosed number of impacted individuals of a data breach stemming from a January 2025 ransomware attack that disrupted operations. As a result of the ransomware attack, an unauthorized party acquired copies of a subset of NYBCe's files.

NYBCe supplies blood to approximately 200 hospitals across the Northeast and provides several clinical services, including apheresis, cell therapy and diagnostic blood testing.

According to a breach notice provided to the Maine Attorney General's Office, NYBCe discovered a cybersecurity incident on Jan. 26, 2025, and immediately took steps to secure its systems. Over the course of six days in January, the unauthorized party maintained access to the blood center's network.

For impacted Maine residents, the breach involved a combination of names, Social Security numbers, driver's license numbers, financial account information and employment-related information.

"We do not collect or maintain contact information for individuals for whom we provide clinical services," NYBCe said in a separate notice posted on its website. "As a result, we are unable to mail letters to individuals whose information may have been involved."

NYBCe encouraged individuals who believe they were affected to contact its dedicated call center.

"We want to assure you that we take this matter very seriously, and we regret any concern this may cause you," the notice continued. "To help prevent something like this from happening again, we have, and are continuing to, enhance our security protocols and technical safeguards to further protect and monitor our systems."

NYBCe's official breach filing has not yet appeared on the Office for Civil Rights' breach portal.

NYBCe was one of several blood centers to experience a ransomware attack in the span of a few months in 2024 and 2025.

In April 2024, BlackSuit ransomware actors hacked Octapharma, a blood plasma provider. The cyberattack resulted in the closure of more than 190 plasma donation centers in the U.S., as well as disruptions in the European Union.

In July 2024, blood donation nonprofit OneBlood suffered a ransomware attack, forcing it to operate at a reduced capacity with limited blood inventory.

Following the Octapharma and OneBlood cyberattacks, the American Hospital Association and the Health Information Sharing and Analysis Center released a joint bulletin warning the sector of the effects of critical supply chain outages on patient care. The bulletin stressed the importance of proper backup plans in the event of an outage.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.