OneBlood reports data breach to state regulators after ransomware attack

Names and Social Security numbers were stolen from the nonprofit blood donation organization OneBlood during a ransomware attack last year. 

The organization, which provides blood to healthcare facilities across the southeastern U.S., reported a cyberattack to regulators in Maine, Vermont and Massachuests this week but declined to say how many people were impacted by the incident.

In the letters to victims, OneBlood said it discovered suspicious activity on its network around July 26 last year.

During a two-week period that month, they said, “certain files and folders were copied from our network without authorization.”

“We conducted a comprehensive review of the affected files to identify the types of information contained in them and to whom the information relates,” the organization said. 

The company completed its review in mid-December. 

Law enforcement was notified about the attack, according to the letters, and OneBlood will be offering victims one year of credit monitoring services. 

Maine’s incident reporting site asks organizations to list how many total people were affected by a breach but OneBlood took the unusual step of leaving that part of the form blank, only writing that 281 people based in Maine were impacted. OneBlood did not respond to requests for comment. 

The attack on OneBlood forced the organization to operate at reduced capacity for days, limiting the amount of blood that could be provided to the 250 hospitals it serves across Alabama, South Carolina, Florida, Georgia and North Carolina. 

The hospitals had to activate their critical blood shortage protocols and OneBlood had to manually label blood products due to the ransomware attack, CNN reported. 

No ransomware gang ever took credit for the attack.