New York Blood Center Enterprises this week confirmed it notified 193,822 people of a January 2025 data breach that leaked the following personal info:
- Names
- Social Security numbers
- State-issued ID numbers (e.g. driver’s license)
- Bank account info if you participated in direct deposit
- Health information
- Test results
No cybercriminal groups have publicly taken credit for the breach as of time of publication.
“NYBCe has been investigating and addressing a cybersecurity incident that occurred in January of 2025,” said a New York Blood Center spokesperson. “Upon learning of the incident, we took immediate actions to contain the threat and to help reduce disruption to our critical services.”
New York Blood Center did not say what cybercriminal group attacked it, if it paid a ransom, or how attackers breached its systems.
“On January 26, 2025, we experienced a cybersecurity incident that affected our internal computer systems,” says New York Blood Center’s notice to victims. “The investigation determined that, between January 20 and January 26, 2025, an unauthorized party gained access to our network and acquired copies of a subset of our files.”
Although the Blood Center reported 193,822 victims to the Oregon Attorney General, its website says, “We do not collect or maintain contact information for individuals for whom we provide clinical services. As a result, we are unable to mail letters to individuals whose information may have been involved.”
Patients whose data was shared with the Blood Center should call to confirm whether or not their data was compromised.
The Blood Center is offering victims free credit and identity monitoring through Experian.
Ransomware attacks on US healthcare
Comparitech researchers have logged 60 confirmed ransomware attacks in 2025 on US hospitals, clinics, and other direct care providers, compromising 5.4 million records.
The attack on New York Blood Center Enterprises is the fourth largest such attack of the year based on the number of records compromised. The larger three are:
- DaVita notified 2.7 million people following a March 2025 breach claimed by ransomware group Interlock
- Frederick Health notified more than 934,000 people of a January 2025 cyber attack
- Marlboro-Chesterfield Pathology notified 236,000 people of a January 2025 cyber attack claimed by ransomware group SafePay
Other recently confirmed such attacks include:
- Huron Regional Medical Center notified victims of a May 2025 attack claimed by ransomware group Beast
- OB-GYN Associates notified victims of an August 2025 attack claimed by Inc Ransomware
About New York Blood Center Enterprises
Founded in 1964, New York Blood Center Enterprises is a not-for-profit organization that makes blood and stem cell products, specialty pharmaceuticals, and medical tests. It consults hospitals and patients and performs research.
NYBCe operates 10 locations, collaborates with more than 600 hospitals, and has served more than 75 million patients, according to its website.
NYBCe’s full statement in response to Comparitech’s questions is below:
“NYBCe has been investigating and addressing a cybersecurity incident that occurred in January of 2025. Upon learning of the incident, we took immediate actions to contain the threat and to help reduce disruption to our critical services. We have been working diligently with legal and forensic partners to investigate what happened. Importantly, we are operating as normal and all blood collection activities, donor center operations and community blood drives are continuing across our operating divisions.
The investigation determined that an unauthorized party gained access to our network and managed to acquire copies of some of our documents. Over the last several months we have reviewed the information impacted and we are now in the process of notifying relevant individuals pursuant to applicable laws.
Maintaining the confidentiality and security of the information in our care is something we take very seriously, and we sincerely regret the concern this has caused. NYBCe is continuing to implement enhancements to our information security, systems and monitoring capabilities.
Individuals with questions can call the dedicated, confidential call center we established for this matter at 877-250-2848, Monday through Friday, between 9:00 a.m. and 9:00 p.m., Eastern Time, excluding major U.S. holidays.”
