Keep Up with CORL: Vendor Breach Digest, 11/3/21

CORL Vendor Breach Digest

CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.

Limeade provides mobile-first solutions grounded in science to improve employee well-being, engagement and inclusion. The business associate organization suffered an unauthorized access/disclosure to a desktop computer that affected approximately 2,287 individuals.

Read more about the Limeade breach


Wiggin and Dana LLP experienced a security incident that affected their network systems. They received confirmation that certain files stored within their environment may have been accessed. Wiggin and Dana is providing notice because the investigation confirmed that the following types of information may have been present in the affected systems at the time of the incident: name, date of birth, Social Security number, financial account information, medical/diagnosis/treatment information, and/or government issued identification numbers.

Read more about the Wiggin and Dana LLP breach


PracticeMax's client, Anthem, had members who are enrolled in the VillageHealth program notified that some of their protected health information had potentially been compromised in a ransomware attack. The following types of data have been exposed: First and last name, date of birth, address, phone number, Anthem member ID number, and clinical data relating to kidney care services received. The attack lasted from April 17 to May 15 and a server containing PHI was accessed and files were stolen. Humana and Anthem use this vendor to share information with Village Health, a kidney care provider. Humana reported that this event impacted 4,424 patients. Anthem reported the breach to the California attorney general, but the volume of records was not disclosed.

Read more about the PracticeMax, VillageHealth, & Anthem breach


Accenture disclosed a ransomware attack by threat actors LockBit. At the time of the attack, threat intelligence firm Cyble reported that the ransomware gang stole databases containing over 6TB of data and were demanding a $50M ransom. The experts also claimed that the hack was the result of an insider job. After the attack, Accenture pointed out that the operations were not impacted and that it was able to restore from backups. The company also denied claims that ransomware operators have stolen customer credentials.

Read more about the Accenture breach


Microsoft stated that a new Iran-linked hacking group has targeted more than 250 Office 365 tenants and compromised accounts for less than 20 of those tenant organizations. The attacks, which the company disclosed in a security alert, have been carried out via password spraying, a technique where hackers try the same password over and over again—while rotating the username.

Read more about the Microsoft breach


Independent Health, a large health plan organization out of New York, has suffered an unauthorized access/disclosure to their emails that affected approximately 541 individuals. The organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements, though further details are limited.

Read more about the Independent Health breach


EMI Health, a health plan out of Utah, launched an investigation that determined an unauthorized person gained access to their network between and deployed malware onto their systems. The unauthorized person acquired copies of some documents from their systems that contained member information and do not yet know which specific members’ information was involved. EMI Health believes that the documents contain members names, Social Security numbers, driver’s license numbers, addresses, dates of birth, health insurance identification numbers, and/or clinical information.

Read more about the EMI Health breach


Orange County HCA suffered an unauthorized access/disclosure to their paper/films that affected approximately 4,732 individuals. The organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements, though further details are limited.

Read more about the Orange County HCA breach


American Osteopathic Association is notifying approximately 27,500 individuals that some of their personal information was stolen in a cyberattack. After a review, it was determined names, addresses, dates of birth, Social Security numbers, financial account information, and email addresses/usernames and passwords were in the exfiltrated data.

Read more about the American Osteopathic Association breach


GitHub was informed of a security loophole that allows software code to be automatically passed without any peer or supervisor review. The vulnerability, discovered by security startup Cider Security, circumvents security controls and exists even in the installations of organizations that have not enabled the recently introduced feature.

Read more about the GitHub breach


Acer has confirmed that its after-sales service systems in India were recently breached in what the company called "an isolated attack." While Acer didn't provide details regarding the attackers' identity behind this incident, a threat actor has already claimed the attack on a popular hacker forum, saying that they stole more than 60GB of files and databases from Acer's servers.

Read more about the Acer breach


Olympus, a global medical device solutions vendor, was forced to take down its IT systems in the Americas following a cyberattack that hit its network. An Olympus spokesperson stated that the company found no evidence of data loss during an ongoing investigation regarding this incident. This breach is the second major breach for Olympus in 2021.

Read more about the Olympus breach


CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data

In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:

  • Prioritize vendors for assessment and remediation
  • Make informed supply chain risk decisions
  • Scale vendor risk programs
  • Report on vendor risk across the entire vendor portfolio
  • Drive and track remediation
  • Validate controls and gain assurance
  • Track KPI, KRI, and SLA metrics on program performance
  • Identify trends in vendor types to anticipate breaches
  • Save time, money, and resources
  • Accelerate assessment turnaround times

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.

Most Recent Posts
Keep Up with CORL: Vendor Breach Digest, 1/17/22 Read More
Urgent Vendor Risk Alert: Log4j Java/Apache Logging Vulnerability Read More
Keep Up with CORL: Vendor Breach Digest, 12/9/21 Read More