OneBlood confirms personal data stolen in July ransomware attack

Blood-donation not-for-profit OneBlood confirms that donors’ personal information was stolen in a ransomware attack last summer.

OneBlood first notified the public about the attack on July 31, 2024, noting that ransomware actors had encrypted its virtual machines, forcing the healthcare organization to fall back to using manual processes.

OneBlood is a supplier of blood to over 250 hospitals across the United States with the attack causing delays in blood collection, testing, and distribution, leading to ‘critical blood shortage’ protocols in some clinics.

At the time, the not-for-profit organization issued an urgent call for O Positive, O Negative, and Platelet donations, which are universally compatible and can be used in urgent transfusions.

Last week, OneBlood began sending data breach notifications to impacted individuals to inform them that its investigation into the incident was completed on December 12, 2024, and determined the exact date of the breach to be July 14, 2024.

The threat actor retained access to OneBlood’s network until July 29, one day after the healthcare organization discovered the breach.

“Our investigation determined that between July 14 to July 29, 2024, certain files and folders were copied from our network without authorization,” reads the OneBlood data breach notification.

“The investigation determined that your name and Social Security number was included in the relevant files and folders,” specifies the same document.

Although blood collection centers typically collect more information such as phone numbers, email and physical addresses, demographic data, and medical history, the exposed data is limited to names and SSNs.

Names and SSNs can be potentially used to perform identity theft and financial fraud, and as they can’t be changed easily, the risk persists for many years.

To mitigate this risk, OneBlood has enclosed activation codes in the letter for a free one-year credit monitoring service, which the notification recipients are given until April 9, 2025, to take advantage of.

Additionally, impacted individuals should consider placing credit freezes and fraud alerts on their accounts to prevent financial damages.

Although OneBlood did abide by its original promise to inform impacted individuals of potential data exposure, the six months of delay has left those people at risk.

The number of individuals impacted by the ransomware attack at OneBlood hasn’t been disclosed.