Full Report
The blood donation organization notified regulators that sensitive data was stolen, nearly five months after a ransomware attack hampered its operations.
Analysis Summary
# Incident Report: OneBlood Ransomware Attack and Data Exfiltration
## Executive Summary
Nonprofit blood donation organization OneBlood suffered a ransomware attack in July 2024, which involved unauthorized exfiltration of sensitive files prior to deployment. The incident forced the organization to operate at reduced capacity, impacting blood supply to 250 hospitals across the southeastern U.S. The subsequent investigation confirmed the theft of names and Social Security numbers, leading to notifications to several state regulators in January 2025.
## Incident Details
- **Discovery Date:** Approximately July 26, 2024
- **Incident Date:** Occurred over a two-week period starting around July 26, 2024 (Data exfiltration observed). Ransomware deployment occurred sometime after.
- **Affected Organization:** OneBlood
- **Sector:** Healthcare/Non-profit (Blood Donation Services)
- **Geography:** Southeastern U.S. (Services Alabama, South Carolina, Florida, Georgia, and North Carolina)
## Timeline of Events
### Initial Access
- **Date/Time:** Around July 26, 2024
- **Vector:** Not explicitly stated; indicative of a network intrusion leading to a ransomware event.
- **Details:** Suspicious activity was first discovered on the network.
### Lateral Movement
- **Details:** During a two-week period starting in late July 2024, attackers were active, copying "certain files and folders" without authorization, suggesting lateral movement allowed access to key data repositories.
### Data Exfiltration/Impact
- **Details:** Sensitive data, including Names and Social Security numbers, was copied from the network. The attack ultimately deployed ransomware, forcing OneBlood to operate at reduced capacity for days, leading to critical blood shortages across its served hospitals.
### Detection & Response
- **Details:** Suspicious activity was discovered on July 26, 2024. A comprehensive review of affected files was completed in mid-December. Law enforcement was notified. Breach notification letters were sent to state regulators (Maine, Vermont, Massachusetts) in early January 2025, reporting 281 affected individuals in Maine alone.
## Attack Methodology
- **Initial Access:** Unknown, but facilitated the execution of a ransomware attack.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown, though evidence suggests long-term capability to copy files unnoticed for two weeks.
- **Credential Access:** Implied by network access requiring lateral movement preceding data exfiltration.
- **Discovery:** Implied; attackers mapped the network to identify sensitive files containing PII/SSNs.
- **Lateral Movement:** Confirmed by the copying of files and folders across the network.
- **Collection:** Targeted collection of files containing PII (Names, SSNs).
- **Exfiltration:** Unauthorized copying of files occurred prior to the ransomware deployment phase.
- **Impact:** Deployment of ransomware resulting in operational constraints and data theft/exposure.
## Impact Assessment
- **Financial:** Not disclosed, but significant operational costs incurred, including offering one year of credit monitoring services to victims.
- **Data Breach:** Names and Social Security Numbers (SSNs) were stolen. At least 281 individuals in Maine were confirmed affected, though the total impact is unknown.
- **Operational:** Severe; OneBlood operated at reduced capacity for days, forcing 250 hospitals to activate critical blood shortage protocols and requiring manual labeling of blood products.
- **Reputational:** Negative public reporting resulting in required regulatory disclosures across multiple states.
## Indicators of Compromise
*Due to the nature of the report (a summary of a breach disclosure), specific IoCs like IP addresses or file hashes were not provided in the source text. The following are behavioral indicators:*
- **Network indicators:** Unauthorized data transfer activity observed correlating with file copying operations.
- **File indicators:** **[N/A - Not specified]**
- **Behavioral indicators:** System files disappearing or rendering inoperable due to ransomware encryption; unauthorized access to systems containing employee/donor PII.
## Response Actions
- **Containment measures:** Not explicitly detailed, but the organization initiated a review after discovering suspicious activity.
- **Eradication steps:** Focused on isolating the ransomware impact and restoring systems (implied by the recovery period).
- **Recovery actions:** The organization conducted a comprehensive review (completed mid-December) and began notifying regulatory bodies and affected individuals, offering credit monitoring.
## Lessons Learned
- The organization suffered a significant disruption that impacted critical healthcare services (blood supply).
- Data exfiltration occurred weeks before detection, indicating potential gaps in real-time monitoring or slow internal response to initial suspicious activity.
- Failure to quantify total victims adequately in initial reports (leaving state forms partially blank) suggests procedural difficulties in assessing post-incident damage.
## Recommendations
- Implement enhanced monitoring to detect unauthorized bulk file transfer/exfiltration activity immediately upon occurrence, rather than weeks later.
- Review endpoint detection and response (EDR) capabilities to ensure early anomaly detection before ransomware payload execution.
- Develop clearer internal protocols for immediate and comprehensive scope assessment during major security incidents to simplify regulatory reporting requirements.