Hospitals and health systems across the United States have become the targets of a highly unusual wave of communications purporting to be data extortion threats, delivered not through conventional digital channels, but via the U.S. Postal Service (USPS).
The American Hospital Association (AHA) and the Federal Bureau of Investigation (FBI) have confirmed receiving multiple reports regarding these letters, sparking concern within the healthcare sector, even as experts assess them as likely fraudulent.
Details of the Postal Threat
The letters, which have surfaced “in recent days,” bear the hallmarks of attempted data extortion but arrive through a distinctly low-tech method compared to the sophisticated cyberattacks healthcare organizations typically face. Primarily, these communications claim to originate from “BianLian,” a ransomware group known for targeting organizations across various sectors, including healthcare, and employing double extortion tactics – stealing data before encrypting systems and threatening to publish the stolen information if a ransom is not paid.
However, several key details in the letters raise significant red flags regarding their authenticity. The letters contain a U.S.-based return address listed as “BianLian Group” from Boston. While the correspondence alleges possession of a “large amount of sensitive patient health information” (PHI) and other “personally identifiable information” (PII) purportedly stolen from the recipient organization, they conspicuously lack any concrete proof of this claim. Furthermore, although the letters provide details on a ransom demand and specify a payment method, they do not include any legitimate contact details for verification or negotiation, another deviation from typical ransomware group practices.
Expert Assessment Points to Likely Hoax
The unconventional delivery method and the lack of substantiating evidence have led experts to cast serious doubt on the legitimacy of these threats. John Riggi, the AHA national advisor for cybersecurity and risk, weighed in on the situation, describing the use of USPS by a “real foreign ransomware group” as “highly unusual and unlikely.”
Riggi’s assessment suggests these attempts are, in fact, “likely hoaxes.” Real ransomware groups, particularly those operating internationally like BianLian is understood to, overwhelmingly rely on digital communication channels – email, encrypted messaging apps, or dedicated dark web negotiation portals – to deliver demands, communicate with victims, and provide proof of compromise. The physical mailing of extortion letters via domestic postal service is an anomaly that strongly indicates a fraudulent scheme rather than a genuine cyber operation by a known threat actor.
Industry Response and Recommendations
In response to the reports, the AHA has actively engaged with the recipient hospitals and health systems, providing guidance and coordinating with federal law enforcement. The FBI has also been alerted and is involved in assessing the nature and origin of these letters.
Recognizing the potential for confusion and alarm these letters could cause, the AHA has issued clear recommendations for any hospital or health system that receives such a communication. Organizations are strongly advised to contact their local FBI field office immediately to report the incident. Filing a formal report is crucial for law enforcement to track the scope of this activity and potentially identify the perpetrators behind the mailings.
Furthermore, recipients are urged to preserve the physical letter and its accompanying envelope. These items are considered critical evidence and should be handled carefully to avoid contaminating potential forensic clues, such as fingerprints or postal markings, that could aid investigators. The preservation of this physical evidence is a standard procedure in criminal investigations, underscoring the serious nature with which law enforcement is treating even these likely hoax attempts.
Context and Continued Vigilance
While these specific postal letters are assessed as likely hoaxes, they underscore the persistent threat environment facing the U.S. healthcare sector. Hospitals and health systems remain prime targets for cybercriminals due to the valuable and sensitive nature of the data they hold. Real ransomware attacks and data breaches pose significant risks to patient care, operational continuity, and financial stability.
The current wave of mail-based threats, though likely fake, serves as a reminder for healthcare organizations to maintain robust cybersecurity postures and vigilance against various forms of malicious activity. Organizations should continue to follow established protocols for reporting suspicious communications, whether digital or physical, to the appropriate authorities, including the FBI and potentially the Cybersecurity and Infrastructure Security Agency (CISA).
Even in the case of probable scams, timely reporting and evidence preservation are vital steps in protecting the broader healthcare ecosystem and assisting law enforcement efforts to identify and apprehend those attempting to exploit fears surrounding real cyber threats for fraudulent gain. The healthcare sector remains on alert, addressing both credible digital threats and unusual physical ones like these likely counterfeit extortion demands arriving through the mail.
