Ransomware attack at blood center: Org tells users their data’s been stolen

blood donors NYBC

A blood center has begun sending data breach notifications to its users after suffering a ransomware attack and theft of personal data.

The New York Blood Center’s (NYBC) suffered the ransomware attack in January, in which an unauthorized party gained access to its network and acquired copies of a subset of files. The security incident was first noticed on January 26, 2025, but this week NYBC has started notifying victims.

NYBC publicly acknowledged the scale but has not issued a precise number of affected people due to ongoing investigations and limitations in contact information for all service recipients. Based on documents that NYBC submitted to regulators in several states, hackers could have stolen information belonging to at least tens of thousands of people.

NYBC ranks among the largest independent community-based blood collection organizations in the US. It serves over 75 million people across more than 17 states and delivers about one million lifesaving blood products annually.

The information varies per affected individual but can include:

Name
Social Security number
Driver’s license or other government identification card number.
Financial account information if you participated in direct deposit.

NYBC also provides clinical services, and diagnostic blood testing, for which it needs clinical information from healthcare providers. New York Blood Center Enterprises said some of this information was also accessed by the attackers during the cyber incident.

So far it is unknown which ransomware group might have been behind the attack, and we have seen no threats to publish or sell the acquired data. But this could change quickly once negotiations about the ransom come to an end without the cybercriminals getting paid what they demand.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.