Massachusetts accounting firm Bookkeeping & Business Services (BBS) this week confirmed it notified 70,168 people about a December 2023 data breach that compromised clients’ private medical and tax information.
What info was compromised depends on whether the victim is a medical billing client or tax preparation client.
For tax preparation clients, the breached info can include:
- Name
- Social Security number
- Tax forms including 1120, 1120-S, 1065, and K-1
- Address
- Other documents provided by clients
For medical billing clients, the breached info can include:
- Name
- Address
- Dates of doctor visits
- Numeric codes for billed medical services
- Health insurance carrier
- Health insurance group and plan numbers
- “Other info that BBS received from providers to support medical billing”
BBS says ransomware gang BianLian is responsible for the breach. BianLian did not claim responsibility for the attack on its leak site, but BBS says it did pay a ransom.
BBS’ notice to victims states, “On January 29, 2024, BBS learned that data had been exfiltrated from its server network, and that the perpetrator was demanding ransom to delete it. BBS shut down its network and engaged counsel and a forensic expert to investigate. The investigation as well as negotiations with the perpetrator confirmed that data was in fact exfiltrated. In consultation with the FBI, BBS determined that the perpetrator, BianLian, was legitimate and reliable. BBS therefore negotiated and paid a ransom, and obtained credible evidence of the destruction of all data exfiltrated from its network, in order to protect affected individuals.”
The notice goes on to say that the BBS informed the IRS of the attack so that the agency can implement safeguards and prevent tax fraud that might result from the attack. Victims might have to take extra steps to verify their identities with the IRS the next time they file taxes.
BBS is offering eligible victims two years of free credit monitoring and identity theft protection via Equifax.
We do not yet know how attackers breached BBS’ network or how much the firm paid in ransom. Comparitech contacted BBS for comment and will update this article if it replies.
Who is BianLian?
First appearing in late 2021, has claimed responsibility for attacks on a wide range of targets in the education, healthcare, business, and government sectors.
Comparitech researchers logged 31 confirmed ransomware attacks claimed by BianLian so far this year, affecting more than 1.9 million records. In 2023, we recorded 31 attacks in total, affecting more than 1 million records.
BianLian recently claimed responsibility for a breach at enterprise networking provider ATSG, which compromised more than 900,000 records including those of the firm’s clients including Boston Children’s Health Physicians. The group was also behind a July 2024 data breach at South West Family Medicine Associates, which affected almost 37,000 records.
The group claimed a further 113 ransomware attacks in 2024 that haven’t been acknowledged by targets.
Ransomware attacks on US finance
Ransomware attacks on finance companies can steal confidential data and disrupt operations that lead to delays and data loss. Aside from data theft, ransomware often encrypts affected systems so they can’t be used until a ransom is paid to decrypt them. Ransomware groups demand additional ransom be paid in exchange for not selling or publicly releasing stolen data.
In 2024 so far, Comparitech tracked 38 confirmed ransomware attacks on US finance companies, affecting 33.7 million records. The largest attacks were against LoanDepot (16.9 million records), Evolve Bank & Trust (7.6 million), and Financial Business and Consumer Solutions (4.3 million)
Another 109 attacks in 2024 were claimed by ransomware groups but not acknowledged by victims.
About BBS Financial Services
BBS is an accounting firm in Methuen, Massachusetts. It sells tax preparation, payroll, and medical billing services.