BLOG
Keep Up with CORL: Vendor Breach Digest, 1/17/22
Published On January 17, 2022
CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.
Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.
Kronos has been hit with a ransomware attack, revealing that information from many of its high-profile customers may have been accessed. Their staff noticed unusual activity impacting UKG solutions using Kronos Private Cloud and are forced to shut down their system for weeks. Kronos provides HR software including critical functions for time keeping, payroll, and benefits Read more about the Kronos breach |
Microsoft Exchange Outlook Web Access servers have reportedly been accessed remotely by threat actors. An IIS web server module named "Owowa" was installed which allowed attackers to steal credentials. Read more about the Microsoft Exchange Outlook Web Access breach |
BioPlus's IT network was hacked. An investigation confirmed files containing the protected health information of certain patients had been accessed, but it was not possible to rule out the possibility that the hacker accessed the PHI of all of its patients. The decision was therefore taken to notify all 350,000 current and former patients about the breach. Files that were accessible to the hacker included patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information. Some patients also had their social security numbers exposed. BioPlus is also facing a new class-action lawsuit related to the breach. Read more about the BioPlus breachAdditional info on the BioPlus breach |
QRS has been sued in a new class action lawsuit based on an August 2021 cyberattack that impacted almost 320,000 current and former patients and unauthorized third party access to one of the QRS dedicated patient portal servers. The attackers potentially acquired sensitive information, including social security numbers, patient ID numbers, portal usernames, names, addresses, birth dates and medical treatment information. Read more about the QRS breachListen to Meditology's CyberPHIx Roundup podcast covering the QRS breach |
BDO clients said their money was illegally transferred to a UnionBank account under a pseudonym and used to buy cryptocurrency. The company said the suspected hackers of the compromised accounts have been identified. BDO said it is processing the reimbursement of nearly 700 clients affected by these fraudulent transactions. Read more about the BDO breach |
The Medical Review Institute of America was the victim of a cyberattack. After an investigation, PHI was found to breached, but there was no reported evidence of misuse of the sensitive information. The types of information breached included demographic, clinical, and financial information. Read more about the Medical Review Institute of America breach |
Doxy.me is resolving an issue that gave three third-party companies access to the names of patients' providers. Doxy.me took measures to remove provider names from the URLs it sent to third parties, but the third parties used technical loopholes to view the full URLs. The company encrypts patient-provider interactions and does not use tracking mechanisms during those visits. Read more about the Doxy.me breach |
Jefferson Surgical Clinic detected that it was the target of a cybersecurity attack. An unauthorized third party attempted to infiltrate their computer network. An investigation determined that information – including names, dates of birth, social security numbers, and health/treatment information – were potentially accessed by an unknown party. Read more about the Jefferson Surgical Clinic breach |
EMI Health suffered a hacking/IT incident to their network server that affected approximately 39,317 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the EMI Health breach |
Neuro-Rehab Associates, Inc. recently suffered a hacking/IT incident to their network server that affected approximately 501 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Neuro-Rehab Associates breach |
UScellular discovered unauthorized access to its billing system that resulted in the exposure of data associated with wireless customer accounts. Information in customer accounts included name, address, PIN code and cellular telephone number(s) as well as information about wireless services including service plan, usage and billing statements. Read more about the UScellular breach |
Georgia Bone and Joint Surgeons experienced a hacking/IT incident through a network server that affected approximately 501 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Georgia Bone and Joint Surgeons breach |
Anthem Inc. has alerted 2,003 members that some of their protected health information has potentially been viewed or obtained by an unauthorized individual who gained access to the network of one of its business associates. The types of data stored on the compromised systems included names, addresses, dates of birth, healthcare provider names, health insurance numbers, group numbers, dates and types of health care services, medical record numbers, lab test results, prescription information, payment information, claims information, social security numbers, and driver’s license numbers. Read more about the Anthem breach |
Walgreens suffered a loss to some paper/films that affected 1,352 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Walgreens breach |
Daniel J. Edelman Holdings suffered a hacking/IT incident to their emails that affected approximately 184,500 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Daniel J. Edelman Holdings breach |
A New Leaf Inc suffered a hacking/IT incident to their network server that affected approximately 10,438 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the A New Leaf breach |
Ibex announced that the company’s IT systems were the target of a malware attack, resulting in the compromise of sensitive consumer data of more than 174,000 individuals. Read more about the Ibex breach |
Ciox Health learned that an unauthorized person accessed an employee’s email account and may have been able to view health information of patients of several of Ciox’s health system and provider clients. The information contained in the account included patient names, dates of birth, provider names and dates of service. Read more about the Ciox Health breach |
Broward Health suffered a data breach when a hacker accessed personal and medical information of patients and staff. The intruder gained access to their network through a third-part medical provider that was allowed to access its systems. A statement from the hospital said the intruder accessed names, birthdays, addresses, banking information, social security numbers, drivers’ license numbers, patient histories and treatment and diagnosis records, among other information. Read more about the Broward Health breach |
UAW Retiree Medical Benefits Trust suffered a hacking/IT incident to their network server that affected 576 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the UAW Retiree Medical Benefits Trust breach |
T-Mobile has suffered another data breach, a few months after a huge breach in August. The new breach seems to have affected a smaller group of customers, who received notifications of unauthorized activity that consisted of hackers checking out customer proprietary network information, pulling off a physical SIM swap, or both. "Customer proprietary network information," or CPNI, includes all the data T-Mobile has about your phone calls, which, according to the carrier, means "features of your voice calling service (e.g., international calling), usage information (like call logs — including date, time, phone numbers called, and duration of calls), and quantitative data like minutes used." CPNI doesn't contain any billing-related information, like names or addresses. Read more about the T-Mobile breach |
Southern Orthopaedic Association has started notifying 106,910 patients about a breach of some of their protected health information. The organization detected unauthorized activity in an employee email account. Steps were immediately taken to secure the account and an investigation was launched to determine the nature and scope of the breach. SOA determined that several employee email accounts had been compromised; however, it was not possible to tell which, if any, emails in the account had been accessed. Read more about the Southern Orthopaedic Association breach |
CompuGroup Medical and Bertelsmann were the victims of a ransomware attack that affected the availability of some internal systems, such as email and phone services. The company claims they have no indication that the attack has impacted customer systems or data. Read more about the CompuGroup Medical and Bertelsmann breach |
Fiondella, Milone & LaSaracina, LLP was the victim of a cyber-attack, potentially exposing the personal and financial information of thousands of consumers. While they cannot identify exactly which information was accessed and/or copied, the names and social security numbers of nearly 84,000 customers were contained in the compromised folders. Read more about the Fiondella, Milone & LaSaracina, LLP breach |
CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data
In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.
CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:
- Prioritize vendors for assessment and remediation
- Make informed supply chain risk decisions
- Scale vendor risk programs
- Report on vendor risk across the entire vendor portfolio
- Drive and track remediation
- Validate controls and gain assurance
- Track KPI, KRI, and SLA metrics on program performance
- Identify trends in vendor types to anticipate breaches
- Save time, money, and resources
- Accelerate assessment turnaround times
Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.