Keep Up with CORL: Vendor Breach Digest, 9/28/21

CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.

An unsecured database containing over 61 million records has been exposed by GetHealth, a solution which stores health and wellness data from hundreds of wearables. The database held sensitive health information such as names, birthdates, GPS logs, height, weight and more. A sampling of 20,000 records uncovered that the majority of the exposed records were from Fitbit and Apple's HealthKit. The system was secured within a few hours, although it is unclear how long the records were exposed or who may have been able to access them.

Read more about the Apple & FitBit breach


These organizations were also a part of the GetHealth data breach that exposed over 61 million records of sensitive health information. Other apps and organizations impacted include GoogleFit, Strava, Android Sensor, and ‘S Health’.

Read more about the MapMyFitness, Microsoft, Sony, & Google breach


The personal data of individuals who took a COVID-19 test at a Walgreens pharmacy has been exposed over the Internet due to vulnerabilities in its COVID-19 test registration system. It is currently unclear how many individuals have been affected, although they could well number in the millions given the number of COVID-19 tests Walgreens has performed since April 2020.

Read more about the Walgreens breach


TTEC experienced a widespread system outage caused by an aggressive ransomware group known as "Ragnar Locker". Employees were urged to avoid clicking on a file that suddenly may have appeared in their windows start menu called "!RA!G!N!A!R!". Thousands of employees at TTEC are now unable to work customer support for their vendors, and it is unclear the extent and severity of this incident at this time.

Read more about the TTEC breach


Fortinet has confirmed that a cybercriminal gang managed to gain unauthorized access to VPN login IDs and passwords linked with 87,000 FortiGate SSL-VPN devices. The threat actors dumped a trove of around 500,000 login credentials on a dark web forum and a data leak website. Furthermore, the breach list contains exclusive access to high-profile companies across 74 countries, including Israel, India, France, Italy, and France, whereas out of 225,500 victims, 2,959 are identified as US entities.

Read more about the Fortinet breach


Vista Radiology our of Knoxville, TN was the victim of a hacking breach impacting 3,634 individuals. The initial investigation appeared to suggest the sole purpose of the attack was to encrypt its systems, and that data exfiltration was not involved. However, Vista Radiology was informed on July 15 that some evidence had been found that files or folders containing patient data had been accessed and viewed. Vista Radiology said the encrypted data had been backed up and could be restored and that it did not negotiate with the malicious third party.

Read more about the Vista Radiology breach


Thomas Eye group was the victim of an unauthorized access/disclosure to their network server that affected approximately 500 individuals. Details are limited, though the organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements.

Read more about the Thomas Eye Group breach


CoxHealth warned patients of a phone scam in which someone posing as the Springfield, Mo.-based health system tries to sell patients medical equipment or steal their personal information. The health system confirmed these calls are not from any CoxHealth employees or affiliates, and the scam is not the result of a data breach.

Read more about the CoxHealth breach


Jackson Health System is investigating a nurse who allegedly posted photos mocking a neonatal intensive care unit patient on social media. They have also notified the parent of the patient whose privacy was breached.

Read more about the Jackson Health System breach


Facebook had their data breached by a threat actor who is claiming to sell 3.8 billion of their user records. The database was allegedly compiled by combining phone numbers from a previously scraped Clubhouse ‘secret database’ with users’ Facebook profiles. The compilation appears to include names, phone numbers, and other data. Many healthcare organizations list Facebook as a contracted vendor.

Read more about the Facebook breach


Ottawa Hospital Research Institute has apologized to unvaccinated staff after an email was sent out offering a vaccine education session with each recipient's name visible to others. The email was sent from one of the hospitals software systems and recalled immediately.

Read more about the Ottawa Hospital Research Institute breach


Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that was stolen. The laptop was password protected but not encrypted.

Read more about the Resource Anesthesiology Associates (RAA) breach


CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data

In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:

  • Prioritize vendors for assessment and remediation
  • Make informed supply chain risk decisions
  • Scale vendor risk programs
  • Report on vendor risk across the entire vendor portfolio
  • Drive and track remediation
  • Validate controls and gain assurance
  • Track KPI, KRI, and SLA metrics on program performance
  • Identify trends in vendor types to anticipate breaches
  • Save time, money, and resources
  • Accelerate assessment turnaround times

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.

Most Recent Posts
Keep Up with CORL: Vendor Breach Digest, 1/17/22 Read More
Urgent Vendor Risk Alert: Log4j Java/Apache Logging Vulnerability Read More
Keep Up with CORL: Vendor Breach Digest, 12/9/21 Read More