Cyber Incident Victim: Alegria Family Services

On or around September 7, 2022, Alegria Family Services (AFS), a New Mexico-based provider of residential and community services for adults with developmental disabilities under contract with the state’s Department of Health, experienced a ransomware attack by the BianLian group. The attackers targeted AFS despite its limited resources and nonprofit operational model, potentially misinterpreting a ZoomInfo listing showing $7 million in revenue as discretionary funds rather than restricted Medicaid and federal program allocations. BianLian claimed to have exfiltrated internal records, personnel files, and client data, though the total volume of compromised data was not disclosed. The ransomware evaded antivirus protections by fragmenting files into small units, encrypting AFS’s active files and a cloud-based backup that was actively being updated during the attack. This rendered six years of archived records inaccessible, though a three-day-old Windows backup remained usable for restoration. AFS confirmed it could not meet BianLian’s ransom demand due to financial constraints.

AFS initiated a direct notification effort by personally calling all approximately 100 current clients to explain the breach, prioritizing verbal communication due to clients’ cognitive disabilities and the inadequacy of written notices. The organization further committed to attempting contact with all clients served over the preceding six years, acknowledging that outdated contact information might necessitate letters or substitute notices for some individuals. Operational recovery relied on the unaffected Windows backup, while the encrypted cloud backup left historical data irrecoverable without payment or decryption. BianLian had not published exfiltrated AFS data at the time of reporting. The incident disrupted AFS’s operations and imposed significant logistical burdens due to its intensive notification strategy and loss of archival records.