BLOG

Keep Up with CORL: Vendor Breach Digest, 10/11/22

CORL Vendor Breach Digest

CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.

Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 are being exploited. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft is working to release a fix, but it has not been resolved yet.

Read more about the Microsoft breach

 

Novant Health reported that their protected health information may have been improperly disclosed because of a Facebook tracking tool used in a May 2020 marketing campaign. Novant Health said it sent letters to 1.3 million patients who could have been affected by the pixel misconfiguration.

For more information and analysis on the Facebook/Meta breach, see CORL’s related blog post: Healthcare Vendors Sharing PHI with Facebook: Analysis & Recommendations.

Read more about the Novant Health breach

 

Aetna ACE announced it has been affected by a ransomware attack on a mailing vendor, OneTouchPoint, which involved the protected health information of 326,278 plan members.

More analysis for the OneTouchPoint breach is available on CORL’s CyberPHIx Podcast: The CyberPHIx Industry News & Trends.

Read more about the Aetna ACE breach

 

Warner Norcross + Judd (law firm) discovered unauthorized activity on some of its systems. The incident impacted approximately 120,000 Priority Health members. The unauthorized party potentially accessed first and last names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled in 2012.

Read more about the Warner Norcross + Judd breach

 

LastPass had an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. No evidence that this incident involved any access to customer data or encrypted password vaults at this time.

More analysis for the LastPass breach is available on CORL’s CyberPHIx Podcast: The CyberPHIx Industry News & Trends.

Read more about the LastPass breach

 

The Physicians Spine & Rehabilitation Specialists suffered a hacking/IT incident to their network server that affected approximately 38,765 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the The Physicians Spine & Rehabilitation Specialists breach

 

Choice Health, the company used to help Humana sell its products, experienced a data breach that resulted in the protected health information of 22,767 patients being compromised. Choice Health learned that an unauthorized party was offering data that was allegedly stolen from its network. Upon learning of this information, Choice Health launched an investigation and found that a technical security configuration issue caused by a third-party service provider allowed individuals to access one of Choice Health's databases through the internet.

Read more about the Choice Health breach

 

MultiCare reported a data breach that potentially removed files containing protected health information from Avamere's network, possibly including full names, diagnoses, and provider names. The files may have included data on 18,614 beneficiaries of MultiCare's Bundled Payment for Care Improvement Advanced program.

More analysis on the Avamere breach is available on CORL’s CyberPHIx Podcast: The CyberPHIx Industry News & Trends.

Read more about the MulticCare breach

 

The Bronx Accountable Healthcare Network suffered a hacking/IT incident to their email that affected approximately 17,161 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the The Bronx Accountable Healthcare Network breach

 

Gifted Healthcare has reported a security breach affecting approximately 13,770 individuals. While the incident appeared to be confined to a single email account, the investigation revealed three email accounts had been compromised. Data compromised in the incident included names, addresses, driver’s license numbers, social security numbers, financial information, health insurance information, and medical information.

Read more about the Gifted Healthcare breach

 

WellMed Medical Management experienced an unauthorized access/disclosure to their electronic medical records and network server affecting approximately 10,506 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the WellMed Medical Management breach

 

USAble Mutual Insurance Company d/b/a Arkansas BCBS suffered a hacking/IT incident to their network server that affected approximately 8,871 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the USAble Mutual Insurance Company d/b/a/ Arkansas BCBS breach

 

Berry, Dunn, McNeil & Parker confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data through a compromised employee email account. Based on state data breach reporting requirements, it appears likely that the breach involved consumer names, as well as their social security numbers, driver’s license numbers, state identification numbers, protected health information and financial account information.

Read more about the Berry, Dunn, McNeil & Parker breach

 

Gardner Resources Consulting confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on the company’s network. According to the company, the breach resulted in the names, social security numbers, driver’s license numbers, other government-issued identification numbers, and financial account information of 8,969 individuals being compromised.

Read more about the Gardner Resources Consulting breach

 

One Medical has recently confirmed that it was the victim of a cyberattack in which names, addresses, medical information, and social security numbers were potentially compromised. The breach appears to have affected at least 964 Texas residents.

Read more about the One Medical breach

 

M.C. Dean (physical security company) confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on M.C. Dean’s network. While the company’s data breach letter does not mention the types of information that were leaked as a result of the incident, based on state data breach reporting requirements, it is likely that the incident impacted consumers’ names as well as their social security numbers, financial account information or protected health information.

Read more about the M.C. Dean breach

 

DaVita suffered a hacking/IT incident to a laptop that affected approximately 1,092 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the DaVita breach

 

Genesis HealthCare reported a data breach with the Office of the Montana Attorney General after the company discovered that an unauthorized party had access to its computer system for a period of nearly three months. While the company did not mention the type of information that was leaked as a result of the incident, under state reporting guidelines, a company only needs to report a breach if it involved consumers social security numbers, financial account information, protected health information or driver’s license numbers or state identification numbers.

Read more about the Genesis HealthCare breach

 

Health Advantage suffered a hacking/IT incident to their network server that affected approximately 1,642 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the Health Advantage breach

 

SCA Pharmaceuticals, LLC experienced a malware attack resulting in the names, dates of birth, social security numbers, other governmental identifiers, certain health information, and bank account information of certain individuals being compromised.

Read more about the SCA Pharmaceuticals, LLC breach

 

Medical Mutual suffered a hacking/IT incident to their network server that affected approximately 1,377 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the Medical Mutual breach

 

Brasseler USA reported a data breach with the Montana Department of Justice after an unauthorized party gained access to the company’s computer network. According to Brasseler, the breach resulted in the following consumer information being compromised: names, social security numbers, driver’s license numbers, passport numbers, financial account information (including debit card and credit card numbers), medical and insurance information, and other information, such as dates of birth.

Read more about the Brasseler USA breach

 

DataStat (survey data collection company) experienced an unauthorized access/disclosure to their paper/films that affected approximately 1,650 individuals. Details are limited and the breach was reported to the Department of Health and Human Services.

Read more about the DataStat breach

 

Florida Orthopaedic Institute reported a ransomware attack had encrypted data stored on its servers. The attack resulted in potential access and exfiltration of patient data, including names, social security numbers, birth dates, medical information, insurance plan identification numbers, claims addresses, payer identification numbers, and other personal information.

Read more about the Florida Orthopaedic Institute breach

 

Centerstone confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on Centerstone’s network through compromised employee email accounts. Information compromised included names, addresses, social security numbers, dates of birth, client identification numbers, medical diagnosis and treatment information, and health insurance information of certain patients.

Read more about the Centerstone breach

 

Twilio (patient engagement company) reported it was hacked by a relentless threat actor who successfully tricked employees into giving up login credentials that were then used to steal third-party customer data. The company did not provide details on the extent of the breach, how many customers were affected, or whether the stolen data was encrypted and secured.

Read more about the Twilio breach

 


CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data

In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:

  • Prioritize vendors for assessment and remediation
  • Make informed supply chain risk decisions
  • Scale vendor risk programs
  • Report on vendor risk across the entire vendor portfolio
  • Drive and track remediation
  • Validate controls and gain assurance
  • Track KPI, KRI, and SLA metrics on program performance
  • Identify trends in vendor types to anticipate breaches
  • Save time, money, and resources
  • Accelerate assessment turnaround times

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.

Most Recent Posts
CISA Cyber Performance Goals: Third-Party & Supply Chain Requirements Read More
TPRM is Broken: Healthcare’s Unsustainable Approach to Third-Party Vendor Risk Management Read More
Cloud Security Alliance Weighs in on Third-Party Risk Management in Healthcare Read More