The BlackCat (ALPHV) ransomware gang has claimed responsibility for breaching the network of healthcare giant Henry Schein and stealing dozens of terabytes of data, which includes payroll data and shareholder information. As a provider of healthcare solutions and a Fortune 500 company, Henry Schein operates in 32 countries and generated revenue exceeding $12 billion in 2022.

On October 15, Henry Schein reported that it had to disconnect some of its systems to manage a cyberattack that affected its manufacturing and distribution operations the previous day. In response, the company quickly took precautionary measures such as shutting down certain systems and implementing additional steps to control the incident, resulting in temporary disruptions in some business areas. Henry Schein is actively working to rectify the issues caused by the attack.

Despite some disruptions, the company has confirmed that the Henry Schein One practice management software remains unaffected. After notifying law enforcement about the incident, Henry Schein has engaged external cybersecurity and forensic experts to look into a possible data breach as a result of the attack.

Following the cyberattack disclosure, Henry Schein advised customers to place their orders through a Henry Schein representative or use dedicated telesales phone numbers, as communicated in a letter released a week later. A request for comments from a Henry Schein spokesperson by BleepingComputer earlier today did not receive an immediate response.

Two weeks after the initial disclosure, the BlackCat/ALPHV ransomware group listed Henry Schein on its dark web leak site, alleging that they penetrated the company's network and exfiltrated 35 TB of sensitive files. The ransomware gang also claimed that they re-encrypted the company's devices as Henry Schein neared complete restoration of its systems, citing the failure of ongoing negotiations.

According to the ransomware group, despite talks with Henry Schein's team, there was no indication that the company intended to prioritize securing their clients, partners, and employees' data, or to safeguard their own network infrastructure.

The BlackCat ransomware operation, which became active in November 2021, is believed to be a revamped version of the infamous DarkSide/BlackMatter group. Originally known as DarkSide, this cybercrime outfit garnered international notoriety after targeting the Colonial Pipeline, leading to investigations by law enforcement agencies around the globe.

A BlackCat affiliate identified as Scattered Spider has taken credit for the MGM Resorts breach, claiming to have encrypted over 100 ESXi hypervisors after MGM Resorts turned down ransom negotiations and disabled their internal infrastructure. In April 2022, the FBI connected the group to over 60 successful attacks on organizations around the world from November 2021 to March 2022.