{ "id": "5f918132-0719-47f7-bca9-b4f35a150127", "created_at": "2026-04-06T00:14:08.879352Z", "updated_at": "2026-04-10T13:12:42.057624Z", "deleted_at": null, "sha1_hash": "96a795809492acd4baa208013815234facc6275c", "title": "BlackCat ransomware claims breach of healthcare giant Henry Schein", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2840343, "plain_text": "BlackCat ransomware claims breach of healthcare giant Henry Schein\r\nBy Sergiu Gatlan\r\nPublished: 2023-11-02 · Archived: 2026-04-05 20:29:49 UTC\r\nThe BlackCat (ALPHV) ransomware gang claims it breached the network of healthcare giant Henry Schein and stole dozens\r\nof terabytes of data, including payroll data and shareholder information.\r\nHenry Schein is a healthcare solutions provider and a Fortune 500 company with operations and affiliates in 32 countries\r\nand revenue of over $12 billion in 2022.\r\nThe company disclosed on October 15 that it was forced to take some systems offline to contain a cyberattack that impacted\r\nits manufacturing and distribution businesses one day before.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Henry Schein promptly took precautionary action, including taking certain systems offline and other steps intended to\r\ncontain the incident, which has led to temporary disruption of some of Henry Schein's business operations. The Company is\r\nworking to resolve the situation as soon as possible,\" it said.\r\nWhile some of its business operations were disrupted, the company says its Henry Schein One practice management\r\nsoftware has not been impacted.\r\nHenry Schein notified relevant law enforcement authorities of the incident and has since hired external cybersecurity and\r\nforensics experts to investigate a potential data breach stemming from the attack.\r\nIn a letter published one week after disclosing the cyberattack, the healthcare services provider urged customers to place\r\norders through their Henry Schein representative or using dedicated telesales phone numbers.\r\nA Henry Schein spokesperson was not immediately available for comment when contacted by BleepingComputer earlier\r\ntoday.\r\nBlackCat claims Henry Schein breach\r\nAlmost two weeks later, the BlackCat/ALPHV ransomware group has added Henry Schein to its dark web leak site,\r\nclaiming that they breached the company's network and stole 35 TB of sensitive files.\r\nThe gang claims they encrypted the company's devices again just as Henry Schein almost finished restoring all its systems\r\nbecause ongoing negotiations failed.\r\n\"Despite ongoing discussions with Henry's team, we have not received any indication of their willingness to prioritize the\r\nsecurity of their clients, partners, and employees, let alone protect their own network,\" the threat actors said.\r\n\"As of midnight today, a portion of their internal payroll data and shareholder folders will be published on our collections\r\nblog. We will continue to release more data daily.\"\r\nHenry Schein's entry on BlackCat's data leak site has since been deleted, hinting at the company restarting negotiations or\r\npaying the ransom.\r\nThe BlackCat ransomware operation surfaced in November 2021 and is suspected to be a rebrand of the notorious\r\nDarkSide/BlackMatter group.\r\nInitially known as DarkSide, the cybercrime gang drew global attention after infiltrating Colonial Pipeline, prompting law\r\nenforcement investigations worldwide.\r\nMore recently, a BlackCat affiliate tracked as Scattered Spider claimed responsibility for the MGM Resorts breach,\r\nallegedly encrypting over 100 ESXi hypervisors after MGM Resorts refused ransom negotiations and shut down its internal\r\ninfrastructure.\r\nIn April 2022, the FBI linked the group to successful attacks on more than 60 organizations worldwide between November\r\n2021 and March 2022.\r\nH/T Dominic Alvieri\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein/\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein/" ], "report_names": [ "blackcat-ransomware-claims-breach-of-healthcare-giant-henry-schein" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434448, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96a795809492acd4baa208013815234facc6275c.pdf", "text": "https://archive.orkl.eu/96a795809492acd4baa208013815234facc6275c.txt", "img": "https://archive.orkl.eu/96a795809492acd4baa208013815234facc6275c.jpg" } }